1 Reply Latest reply on Feb 3, 2015 6:17 AM by lnurmi

    SSL Inspection Client Protection?

    totti10

      Hi all,

       

      I've successfull configure SSL Inspection for Client Protection. Now, i want to excluding some domain from decryption. I create a new TLS match with Deny Decryption but when access to that site, i still get the certificate that is re-create by NGFW. I also try using HTTPS Inspection Exception, but the result is the same. Does anyone have any ideas?

      By the way, how to know that the NGFW is really decrypting the SSL traffic in both Client Protection and Server Protection?

       

      Thanks and Regards!

        • 1. Re: SSL Inspection Client Protection?
          lnurmi

          Hi,

           

          the HTTPS Inspection Exceptions should work well to achieve this. I tested with FW 5.5 without issues, in a HTTPS service's Protocol Parameters tab set inspection&decryption to Yes, select your own exception set, and use this service in the access rule. Note that you may need to add the full FQDNs to exceptions for some sites, for example when I have exception for example.com but I access www.example.com it's decrypted. So in this case I'd need to also add exception for www.example.com.

           

          >By the way, how to know that the NGFW is really decrypting the SSL traffic in both Client Protection and Server Protection?

          If you see in the browser that the client protection CA you selected has signed the SSL certificate, the connection is decrypted. A simple test to see does decryption work, is to enable URL logging in the HTTPS service. The HTTP request is inside the SSL tunnel so without decryption the URL couldn't be logged by firewall.

           

          BR,

          Lauri