Is it possible to decrypt client side SSL traffic if you have SSL scanning turned on in MWG. I know that the MWG creates dynamic certs for each SSL site you visit based on the client context CA, but I don't know if the private key is the same for all of them. What we want to be able to do is take a capture of client side traffic between the client and MWG and use the private key of the MWG's client context CA to decrypt the traffic. I know we can't decrypt the server side since that uses the cert/key from the destination host and not from the MWG. Anyone ever try this?
For troubleshooting purpose you can create connection tracing files. When SSL Scanner is triggered the traffic is decrypted and re-encrypted by the web gateway. This clear text as example HTML code is then written to multiple file. Unique File name identify the connection and "C" or "S" identify if it is C = Client or S = Server. To enable please follow the steps below:
GUI -> Configuration -> Troubleshooting -> Enable Connection Tracing (Test Client IP)
GUI -> Troubleshooting -> Connection Tracing
NOTE: Please don't forget to disable it afterwards. Connection Tracings can get very big with the time and fill up your disc space.
Thanks for the info smasnizk. I've used the connection tracing a couple of times in the past but I'm more interested in being able to decrypt client side traffic that may have been captured a while back. Since we record all network traffic we're able to "go back in time" and pull up old conversations in Wireshark. But I can't figure out how to decrypt the client side traffic for the MWG even though I have the private key for the CA that the MWG uses for the Client Context. I'm afraid I don't know enough about SSL to know if it's even possible to do what we are wanting to do.
The issue would be to get the certificate for client traffic. The Web Gateway create on the fly certificates for different destinations. This looks like this google example:
-> This google certificate isn't actually created by google. This one is from WebGateway and you trust them because you have the Root CA in your certificate trusted store.
When you would like to encrypt some traffic where you don't know the content or destination. The destination will always be the Web Gateway. Even if you could identify in the tcpdump CONNECT request your real destination you will still have the trouble not having the temporally created certificate.
To be honest your chance to get this working is very low.