2 Replies Latest reply on Oct 1, 2010 8:11 AM by EuroFlash.Technology

    SSL rules and URL Category endpoints interaction

      Hi all,

      I have this problem with SSL rules that uses URL Category as destination endpoints.

       

      I have configure the SSL rules like the manual (MFE8) instructions to prevent decription for "Finance/Banking" category, but the firewall don't recognise the URL Category.

       

      1. This is the SSL rule named "Except Finance" rule (placed in the first place):

           Port: <Any>

           Source: Endpoints: <Any> User Groups <none> Zones: internal

           Destination: Endpoints: Finace/Banking (URL Category) Zones: external

           Type: Outbound

           Action: No Decription

       

      2. This is the SSL decription rule (placed in second position, after "Except Finance"):

           Port: 443

           Source: Endpoints: <Any> User Groups <none> Zones: internal

           Destination: Endpoints: <Any> Zones: external

           Type: Outbound

           Action: Decript/Re-encript

       

      3. Last SSL rule is the default Exempt all rule.

       

      Then I try to navigate to www.wellsfargo.com and in the log (verbosity=4) I see:

      Skipped SSL rule'<TrustedSource SSL Traffic>': query source zone internal != SSL rule's Firewall.Skipped SSL rule'Exempt Finance': dest IP addr 213.26.87.66 did not match ((('category','fi'),),).Matched SSL rule'Decript Web HTTPS'Matched acl matching rule 10

      and the firewall apply the SSL decript rule.

       

      I tried with some sites and different URL Categories, but the result is always the same: the URL category never matching.

      I have the same proble with Domain objects in destination endpoints: never match the domain!

       

      Anyone can help me?

       

      Thank you

      Giorgio

        • 1. Re: SSL rules and URL Category endpoints interaction
          PhilM

          Hi Giorgio,

           

          Does the Dashboard screen show that your Firewall has downloaded the SmartFilter control list?

           

          It might sound like a silly question, but the following section of your audit record:-

           

          dest IP addr 213.26.87.66 did not match ((('category','fi'),),).

           

          - would seem to suggest that the IP address cannot be found in the Banking/Finance category, and this is why the connection is not triggering your "Except Finance" rule. If the category database has not downloaded this would be one reason why.

           

          However, performing an nslookup for www.wellsfargo.com, comes back with two completely different IP addresses:-

           

          Name:    www.wellsfargo.com
          Addresses:  151.151.13.133, 151.151.88.133

          • 2. Re: SSL rules and URL Category endpoints interaction

            Hi Phil,

             

            yes, the database is correctly updated. In effect the SmartFilter on HTTP (not encripted connections) works fine!

             

            I have the same problem if I specify one domain object on the endpoint destination field: the system nerver match the domain!

             

            ...

             

             

            Giorgio