I'm trying to setup a version 8 firewall for a demo and most things are working as planned, but the seemingly contrary behaviour of test SSL interception rule is driving me nuts!
Initially, because I only wanted to perform very selective SSL decryption, I tried to lock the rule down to certain destination hostnames. However when this was getting me nowhere, I decided to be more general about the SSL rule - deciding that I could simply switch it on and off as and when required.
So the SSL Rule has been configured to as "Outbound" with the "Decrypt/re-encrypt" action. Source zone=internal, destination zone=external. The notification message has been enabled.
In the Access Rules section I have created a rule for general web browsing (HTTP & HTTPS/SSL) protocols and have applied the "Anti-Virus Scanning" application defense property to it.
I've been able to prove the SSL decryption is working, by visiting an HTTPS site. I am first greeted with the certificate warning (a good indication because it likely to be because of the self-signed nature of the Firewall's certificate, versus the site in it's native form) and when I acknowledge the certificate warning, I am then presented with the Firewall notification message that SSL traffic is being intercepted. Acknoweldge this, and the web site then appears.
So for my test:-
Going to www.eicar.org, I select the link for the test virus files and if I select any of the standard HTTP-based links, the Firewall blocks the connection and I can see in the audit evidence of a virus event being behind the block. All good so far, and this has also proved the AV scanning is doing it's job.
However, try as I might, the HTTPS examples are slipping through the net. Click on the HTTPS variant of the "eicar.com" test file and the certificate warning page appears, giving all the indications that the SSL rule is doing it's job. Acknowledging that I wish to proceed, rather than finding myself staring at an "Access Denied" message (as I would expect as the AV engine should now be able to see the content), I am suddenly presented with a download prompt - at which point the desktop AV client kicks in.
If the browser is presenting evidence to suggest that the SSL rule has been applied, why on earth is then not going on to decrypt the content sufficiently to allow the AV scanner to do it's job?