cancel
Showing results for 
Search instead for 
Did you mean: 

SSL rules and URL Category endpoints interaction

Hi all,

I have this problem with SSL rules that uses URL Category as destination endpoints.

I have configure the SSL rules like the manual (MFE8) instructions to prevent decription for "Finance/Banking" category, but the firewall don't recognise the URL Category.

1. This is the SSL rule named "Except Finance" rule (placed in the first place):

     Port: <Any>

     Source: Endpoints: <Any> User Groups <none> Zones: internal

     Destination: Endpoints: Finace/Banking (URL Category) Zones: external

     Type: Outbound

     Action: No Decription

2. This is the SSL decription rule (placed in second position, after "Except Finance"):

     Port: 443

     Source: Endpoints: <Any> User Groups <none> Zones: internal

     Destination: Endpoints: <Any> Zones: external

     Type: Outbound

     Action: Decript/Re-encript

3. Last SSL rule is the default Exempt all rule.

Then I try to navigate to www.wellsfargo.com and in the log (verbosity=4) I see:

Skipped SSL rule'<TrustedSource SSL Traffic>': query source zone internal != SSL rule's Firewall.Skipped SSL rule'Exempt Finance': dest IP addr 213.26.87.66 did not match ((('category','fi'),),).Matched SSL rule'Decript Web HTTPS'Matched acl matching rule 10

and the firewall apply the SSL decript rule.

I tried with some sites and different URL Categories, but the result is always the same: the URL category never matching.

I have the same proble with Domain objects in destination endpoints: never match the domain!

Anyone can help me?

Thank you

Giorgio

2 Replies
PhilM
Level 14
Report Inappropriate Content
Message 2 of 3

Re: SSL rules and URL Category endpoints interaction

Hi Giorgio,

Does the Dashboard screen show that your Firewall has downloaded the SmartFilter control list?

It might sound like a silly question, but the following section of your audit record:-

dest IP addr 213.26.87.66 did not match ((('category','fi'),),).

- would seem to suggest that the IP address cannot be found in the Banking/Finance category, and this is why the connection is not triggering your "Except Finance" rule. If the category database has not downloaded this would be one reason why.

However, performing an nslookup for www.wellsfargo.com, comes back with two completely different IP addresses:-

Name:    www.wellsfargo.com
Addresses:  151.151.13.133, 151.151.88.133

Re: SSL rules and URL Category endpoints interaction

Hi Phil,

yes, the database is correctly updated. In effect the SmartFilter on HTTP (not encripted connections) works fine!

I have the same problem if I specify one domain object on the endpoint destination field: the system nerver match the domain!

...

Giorgio