1 of 1 people found this helpful
I will first preface my answer with some knowledge.
There are three main cycles that the Web Gateway deals with, Request, Responses, and Embedded.
Within the Request cycle (when using SSL scanning), there is 3 psuedo "sub" cycles, CONNECT, CERTVERIFY, and within the Tunnel.
According to the default rules SSL scanning gets applied in the sub cycles.
- Certificate Verification is enabled in the CONNECT phase.
- Content Inspection is enabled in the CERTVERIFY phase (so if you bypass Certificate Verification, Content inspection will NOT take place).
Now I will try to answer your scenario:
The rule "Tunnel Hosts" is set to Stop Cycle as it is intended to be a request that is allowed. Thus it bypasses all subsequent rules. For all intensive purposes you could change the action to Stop Rule Set, and this would only make it is tunneled, rather than guaranteed to be allowed. Otherwise it could be blocked by URL filtering for example.
Regarding "Bypass Content Inspection", your assumption is incorrect, AV scanning cannot be performed on an SSL connection that does not have Content Inspection applied. But in this case, URL filtering and can still be applied.
Hope this helps,
Thx for your reply Jon