4 Replies Latest reply on Feb 25, 2015 4:35 AM by lnurmi

    Client vs Server Protection in SSL Inspection?

    totti10

      Hi all,

       

      I have 2 question related to SSL Inspection:

       

           1. I enable both Client Protection and Server Protection for SSL Inspection, then create a access rule with source and destination is any, Service is https( with decryption). So what will be used if i access to my Server and outside Server using https, i mean what will be used for SSL Inspection in this scenario: Client Protection or Server Protection because the access rule is both matched for Client and Server Protection.

           2. I want to deny Facebook-chat, and this service requires SSL Inspection. So what the access rule should be used? Or i just create a access rule that permit Facebook with Deep Packet inspection to enable SSL Inspection and another rule that deny Facebook-chat?

       

      Thanks and Regards!

        • 1. Re: Client vs Server Protection in SSL Inspection?
          lnurmi

          Hi,

           

          1. In your scenario if you access an HTTPS site that the firewall does not have a server protection certificate for, the client protection certificate is used. If you access a server for which a server protection certificate exists, that is used to decrypt and inspect the traffic and certificate is not replaced by client protection. The firewall has the server certificate so by comparing it with the SSL Server Hello it can detect which action should be taken, client protection or server protection.

           

          2. If application is used in access rule it will implicitly enable inspection, but HTTPS can only be inspected if you have a client protection CA configured in firewall properties. So to deny Facebook-chat: configure client protection and create an access rule with Facebook-chat in Service cell and Discard action.

          The exceptions to this are applications that can be identified based on TLS Match (common name in server certificate) alone, those do not require SSL inspection. The Facebook sub-applications like Chat and Games are not identifiable based on TLS Match alone, same goes for example for most Google services since they like to use the same wildcard certificate for everything.

           

          BR,

          Lauri

          • 2. Re: Client vs Server Protection in SSL Inspection?
            totti10

            Hi Lauri,

             

            Thanks for your information. In my case, i have a access rule to deny facebook-chat like this:

            Facebook-caht.PNG

            Will this access rule enable SSL Inspection for all https traffic, or just all https traffic from host Win 2.10?

            • 3. Re: Client vs Server Protection in SSL Inspection?
              totti10

              Hi Lauri,

               

              I find out that it just enable SSL Inspection for https traffic from host Win 2.10. But now i got a problem, SSL Inspection is not work with facebook, google.com, and some sites which are signed by DigiCer, Verisign( I browse to these sites and check certificate, and the certificate is the original site, not the Certificate on NGFW). Other sites work perfectly @@

              effCert.PNG

               

              googleCert.PNG

               

              FbCert.PNG

               

              hdbankCert.PNG

               

              Here's my Access rule:

               

              MyAccessRule.PNG

               

              Please help me! I'm Stuck with this @@

               

              Thanks and Regards!

              • 4. Re: Client vs Server Protection in SSL Inspection?
                lnurmi

                Hi,

                 

                I tested with version 5.5.12 and this seems to be normal with applications. I had a client protection CA configured and a rule allowing several Google applications. The CA shown in browser never changed from the original, but the connections matched to the application rule nevertheless.

                 

                If you enabled TLS inspection for all traffic, e.g. in rule 5.16 use "HTTPS (with decryption)" service and enable inspection in action options, then you can expect the CA to change on all connections. With thta config you should note to import the CA into your Windows certificate store (trusted root CAs) and Firefox certificate store (if you use Firefox), otherwise you get warnings all the time and sites utilising HSTS don't open at all.

                 

                Facebook chat has been somewhat tricky in the past, I recommend using one of the latest NGFW versions (5.5.12, 5.7.7, 5.8.1) and latest update package (630). If you still cannot block it, open a support ticket.

                 

                BR,

                Lauri