Hi,
I just solved a strange problem with a proxy profile with transparent mode + https scan on ASG 7.507.
Pratically, it is not possible to use two distinct source network like:
NET_A = 10.100.20.0/26
NET_B = 10.100.20.64/26
because the https traffic will not be forwarded to the proxy.
By analyzing the NAT chain I find only these rules:
Chain AUTO_PRE (1 references)
0 0 REDIRECT tcp -- * * 10.100.20.64/26 0.0.0.0/0 tcp spts:1:65535 dpt:80 ADDRTYPE match dst-type !LOCAL redir ports 8080
0 0 REDIRECT tcp -- * * 10.100.20.0/26 0.0.0.0/0 tcp spts:1:65535 dpt:80 ADDRTYPE match dst-type !LOCAL redir ports 8080
0 0 RETURN tcp -- * * 10.100.20.64/26 0.0.0.0/0 tcp spts:1:65535 dpt:443 ADDRTYPE match dst-type !LOCAL
So there is the REDIRECT for the HTTP traffic but the RETURN for the HTTPS and obviously surfing secure site doesn't work from both networks.
If I define the profile with only NET_A or NET_B, it works:
0 0 REDIRECT tcp -- * * 10.100.20.0/26 0.0.0.0/0 tcp spts:1:65535 dpt:80 ADDRTYPE match dst-type !LOCAL redir ports 8080
0 0 REDIRECT tcp -- * * 10.100.20.0/26 0.0.0.0/0 tcp spts:1:65535 dpt:443 ADDRTYPE match dst-type !LOCAL redir ports 8080
The solution was to create a new network definition that agregate the two networks:
NETAB = 10.100.20.0/25
It seems that it is possible to use only one source network at time per profile when using transparent+https scan.
And if the two or more network are not continuous?....do I need two profiles?
This thread was automatically locked due to age.
