1. In your scenario if you access an HTTPS site that the firewall does not have a server protection certificate for, the client protection certificate is used. If you access a server for which a server protection certificate exists, that is used to decrypt and inspect the traffic and certificate is not replaced by client protection. The firewall has the server certificate so by comparing it with the SSL Server Hello it can detect which action should be taken, client protection or server protection.
2. If application is used in access rule it will implicitly enable inspection, but HTTPS can only be inspected if you have a client protection CA configured in firewall properties. So to deny Facebook-chat: configure client protection and create an access rule with Facebook-chat in Service cell and Discard action.
The exceptions to this are applications that can be identified based on TLS Match (common name in server certificate) alone, those do not require SSL inspection. The Facebook sub-applications like Chat and Games are not identifiable based on TLS Match alone, same goes for example for most Google services since they like to use the same wildcard certificate for everything.
I find out that it just enable SSL Inspection for https traffic from host Win 2.10. But now i got a problem, SSL Inspection is not work with facebook, google.com, and some sites which are signed by DigiCer, Verisign( I browse to these sites and check certificate, and the certificate is the original site, not the Certificate on NGFW). Other sites work perfectly @@
Here's my Access rule:
Please help me! I'm Stuck with this @@
Thanks and Regards!
I tested with version 5.5.12 and this seems to be normal with applications. I had a client protection CA configured and a rule allowing several Google applications. The CA shown in browser never changed from the original, but the connections matched to the application rule nevertheless.
If you enabled TLS inspection for all traffic, e.g. in rule 5.16 use "HTTPS (with decryption)" service and enable inspection in action options, then you can expect the CA to change on all connections. With thta config you should note to import the CA into your Windows certificate store (trusted root CAs) and Firefox certificate store (if you use Firefox), otherwise you get warnings all the time and sites utilising HSTS don't open at all.
Facebook chat has been somewhat tricky in the past, I recommend using one of the latest NGFW versions (5.5.12, 5.7.7, 5.8.1) and latest update package (630). If you still cannot block it, open a support ticket.