Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 2881 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trying to understand SSL/TLS inspection exclusions

pablol

Hello,

I have been slowly making everything work with SSL/TLS inspection. Trying to get as much as possible inspected and adding exclusions for things that I have not been able to find how to fix.

But I got to an impasse with two applications, that have the same issue. I feel I have something wrong in my settings but here it goes.

1) Webex. I have a rule to just pass *.webex.com. But for some reason some of the connections are going to an IP and XG is not reverse resolving such IP's. I can reverse resolve the IPs elsewhere and I get a webex domain. (I seldomly need to use webex so I have been disabling TLS inspection when I need it)

2) the reason I wrote today is becasuse of this problem. I have a new device that is tryign to contact aws server. Again the logs show multiple IPs so I do not know how I would be able to exclude each one of them. See the image of this capture.

The big issue is that the device is sending thousands of DNS queries per hour (about 1M in 12 hrs) trying to desperately connect to their home.

any ideas, direction would be greatly appreciated.

I am using SFVH (SFOS 18.0.3 MR-3)

Thank you



This thread was automatically locked due to age.
Parents
  • 0

    Hi  :  XG Firewall provides a default exclusion rule "Exclusions by website or category" that prevents connections to certain websites from being decrypted. The exclusion rule contains  "Local TLS exclusion list" The list is empty by default. You can add websites to this list by troubleshooting in the Control center or Log viewer.

    To edit this list, go to Web > URL groups and edit the group Local TLS exclusion list

    Reference : https://docs.sophos.com/nsg/sophos-firewall/18.0/releasenotes/en-us/nsg/sfos/releasenotes/rn_SSLTLSInspectionRules.html

    Apart from this, exception created in Web > Exceptions is applicable to both Web Proxy and DPI mode. 

    So if you have required domains/IP you may import it in custom category as well via acceptable formats or from external database to make your task easier to add that category in web exception.

    https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/tasks/WebCategoryAdd.html

  • 0 in reply to Vishal_R

    Thank you for your response.

    I have noticed with my problem with Webex that it does not work when it is trying to connect to an IP. For instance, lets check the entry of  one of my logs:

    If I do a reverse lookup on that IP, I get:

    Just because I wanted to try, I added amazonaws.com to the local exclusion:

    Yet, I keep getting errors.

    If I add an exclude as suggested by the log, it adds an IP... there are tens of different ips (if not more) that point to amazonaws.com...

    Same issue with webex

  • 0 in reply to pablol

    This is one of the main problems of IoT and webapp development. 

    XG will use the DNS, the app is calling and use this as a exclusion.

    We could check in the ips.log on CLI, which IP actually is called by the App and add this.

    Personally, i saw different approaches. Big companies uses https://IPs:443 or https://someamazondns.com etc. 

    That can become messy, if the company of your apps does not clearly document their domains. 

    Try to add those URLs as well: https://help.webex.com/en-us/m0jby2/Configure-a-List-of-Allowed-Domains-to-Access-Cisco-Webex-Teams-While-on-Your-Corporate-Network

  • 0 in reply to LuCar Toni

    Thank you LuCar,

    I thought adding webex.com would add every subdomain, is that not the case? I have an exception for webex:

    And if I try a webex connection, everything on the log that has those domains are getting passed without decryption. But then I have a bunch of IP's (no domain name, just raw IP's) that are being decrypted. If I do reverse DNS on those IP's I see they are on the webex.com domain.

    Same as with aws...

    To me it sounds like XG is not doing reverse dns lookup to figure out if a given IP is owned by the list of domains that are exempted. Is this a true statement?

    As with ips.log, I am trying to figure out the contents. Will write back once they make sense to me. Or if you have any suggestion I would appreciate.

    Meanwhile, I will try and add iot.us-west-2.amazonaws.com to the exception list and see what happens...

    Thank you

  • +1 in reply to pablol

    XG is not doing a reverse DNS. That would take to long for each request to do.

    You have only one packet timeframe to decide, if you decrypt or not. Its the TLS Syn packet (first in the handshake). If we would do a reverse lookup, this will likely timeout. So we are using the current called IP or DNS. 

    If the client calls something like domain.webex.com, this will hit the exclusion. 

    If the client calls something like 1.2.3.4, your exclusion will not hit. (This is bad design by the app, but some apps do this).

    If the clients calls a DNS from aws, it depends how this is build. Because in the end, you will call AWS, but the client could call something like test1.com. 

Reply
  • +1 in reply to pablol

    XG is not doing a reverse DNS. That would take to long for each request to do.

    You have only one packet timeframe to decide, if you decrypt or not. Its the TLS Syn packet (first in the handshake). If we would do a reverse lookup, this will likely timeout. So we are using the current called IP or DNS. 

    If the client calls something like domain.webex.com, this will hit the exclusion. 

    If the client calls something like 1.2.3.4, your exclusion will not hit. (This is bad design by the app, but some apps do this).

    If the clients calls a DNS from aws, it depends how this is build. Because in the end, you will call AWS, but the client could call something like test1.com. 

Children
  • 0 in reply to LuCar Toni

    That makes sense...

    I think both webex in this specific case and this other appliance calling aws are doing so by IP address.

    And as far as I see, my option is to add every IP to the list, or do an exclusion from source IP. For the appliance calling AWS that should be easy to do as it is a static IP and I trust the appliance (It is a security device that only runs that application)

    But as for Webex I am at odds... we have another call today. I am implementing the article you sent me and I will check if it works with it.

    I guess SNI is what should have the domain name instead of the IP to hit:

    I will file a ticket to the company's appliance...

    Thank you for all your assistance.