DPI vs. Proxy exceptions

In v18, with the new decryption policy, you can use exceptions by pointing to a URL group. Does this mean if I use DPI decryption (turn off proxy), the exceptions configured previously under Web -> Exceptions no longer apply? 

  • Correct!

    For web proxy exceptions, you need to use web > exceptions list. For dpi, local tls exception url list.

  • The Web > Exceptions apply to both proxy mode and DPI mode and can turn off HTTPS Decryption, certificate checks, Policy checks, AV and more.  It applies to web traffic.

    The TLS Inspection Rules apply to DPI mode and can only turn off HTTPS Decryption and certificate checks.  It applies to any type of SSL/TLS traffic.

     

    There is a bunch of new integration into the log viewer and dashboard to make it easy to add to the URL Group that is used by the TLS Inspection Rules.

     

    In WebAdmin we have tried to make a note of things that only work in proxy mode and not DPI mode (for example SafeSearch).  Web Exceptions work in both.

  • In reply to Michael Dunn:

    Thanks Michael.

    Does it gonna to change in the next future?

    In this way, users need to update and keep update the same objects inside 2 different lists.

    So image the user is not able to open a website and he/she is using DPI, then the user puts the site inside the TLS URL group but the website still does not open. So the user puts the same websites (using regex this time) into exceptions and ticked all checkboxes and finally the website works.

    The user to keep the things clean on XG, needs to understand first who is responsible for the blocking traffic, try and then clean the portion that is not responsible.

    Sorry, but for the moment, logs do not help a lot. I would like to have another extra checkbox into web exceptions for skip DPI scanning or something like that to have a single section to deal with.

    Also, I prefer regex to url or subdomains, as regex are more flexible to filter/bypass traffic.

     

  • In reply to lferrara:

    No plan to change.  If you are only dealing with Web traffic (80/443) and you want a single source use Web Exceptions.  They are more flexible with RegEx and can exclude more than just HTTPS scanning.

     

    The URL group for TLS/SSL Inspection Rules may be easier for some people who don't know RegEx or want a simpler way to exclude traffic from TLS decryption when using DPI mode.  They are not a true "exception".  It is a bit like creating a higher level firewall rule that treats traffic to a specific destination differently.  We just created one out of the box and give a shortcut to using it.

    Also remember - TLS decryption and DPI scanning are not the same thing.  You cannot say "I want to create a Web Exception that uses DPI to find out the destination domain and then use that information to exclude the connection from DPI".  You can only say "I want to create a Web Exception that uses DPI to find out the destination domain and then use that information to exclude that connection from TLS decryption".

  • In reply to Michael Dunn:

    This is a bit complicated to understand for “normal users”.

    A better description should be provided inside the ui itself.

  • In reply to lferrara:

    lferrara

    This is a bit complicated to understand for “normal users”.

    A better description should be provided inside the ui itself.

    Uncomplicated answer:  If are used to creating Web Exceptions, continue creating web exceptions.

     

  • In reply to Michael Dunn:

     

    I will let you know once my customers will start to move on v18. Customers' feedback are the most important part in our job.

    Thanks

  • In reply to Michael Dunn:

    I don't necessarily agree that it is too complicated, but I agree that this should be pointed out better in the documentation. Once you understand what is what, it makes sense and isn't hard to understand, but the information about it is missing or not clear enough. So I second the request that the documentation gets a little update on this. 

    Cheers

  • In reply to Michael Dunn:

    Hi Michael,

    I have to come back to this. To me it appears that the web exceptions do NOT fully apply in DPI mode. We are using an app that doesn't work with SSL decryption, so in v17, we created a web exception for this that contains about 20 RegEx expressions in order to get the app to work. With that web exception, we had no problems. Now we upgraded to v18 and switched the corresponding firewall rule to DPI mode. And sure enough, that app stopped working. When I disable DPI mode and go back to proxy mode for that rule, the app works again.

    This is clearly indicating that web exceptions do not fully apply in DPI mode. 

    Any thoughts?

    EDIT:

    Upon further inspection, it gets even more weird. When disabling DPI mode and force the connection through web proxy, it still doesn't work. We have to disable the decryption rule, which shouldn't even be used in proxy mode. Consider me mighty confused. 

    To re-iterate:

    1. Firewall rule is set to proxy mode
    2. Matching decryption rule is in place
    3. Matching web exception is in place
    4. Result: App doesn't work

    5. Disable matching decryption rule
    6. App works

  • In reply to cryptochrome:

    Hi cryptochrome,

    If a web exception for HTTPS decryption does not work, I'm pretty sure that adding the sites to the Local TLS exclusion list for DPI mode does not work either. So that is not an issue with Web Exception vs TLS Exclusion, which is the point of this thread.

    Your problem sounds weird and does not match anything I've heard of before. Please start a new thread.

    Please note that during the EAP, part of my duties as a member of the development team was to monitor and respond in the forums. Now that we are GA, Support is becoming the first point of contact, and they will forward to the development team.

  • In reply to Michael Dunn:

    Michael Dunn

    If a web exception for HTTPS decryption does not work, I'm pretty sure that adding the sites to the Local TLS exclusion list for DPI mode does not work either. So that is not an issue with Web Exception vs TLS Exclusion, which is the point of this thread.

    Well actually it is. I opened this thread. The original question was whether web exceptions also apply in DPI mode, to which you said they do. But apparently, they don't. I have a comprehensive web exception rule to exclude a certain app from SSL decryption. That web exception rule no longer works in v18 with DPI mode enabled. When I disable DPI mode and force the connection through the proxy, the web exception rule applies and works. 

    By your logic, that should not happen. The web exception rule should also work in DPI mode, but it doesn't. 

     

     
  • In reply to cryptochrome:

    This is a long shot, but I had a problem where an explicit "Don't decrypt" rule was killing an app because I had set the decryption profile to "Block insecure SSL."  I had assumed since the action was "Don't decrypt" that it wouldn't also block the traffic because it didn't like a cipher but I was wrong.  

  • In reply to cryptochrome:

    What I was trying to say is that a thread that starts "I am using XYZ app.  It does not work in DPI mode, even if I have Web Exceptions or TLS Exclusion" then someone from Support can work with you and determine if it a bug in DPI mode, if it a duplicate to any existing bug, how many customers are experiencing it, and raise it to development with appropriate priority.  When you start the thread "Does turning off decryption mean that Web Exceptions don't apply" that makes the thread sound like you are asking for documentation or help understanding the system.

     

    cryptochrome

    The original question was whether web exceptions also apply in DPI mode, to which you said they do. But apparently, they don't.

    Web exceptions also apply in DPI mode.  Your app/website/client/whatever does not work in DPI mode.  Do not assume that the problem is because of web exceptions.  Raise it as a bug in DPI mode, don't raise as a bug in Web Exceptions.

    Or not.  You can go ahead and raise a bug that says "Web exceptions don't work in DPI mode for this app" and then raise a separate bug that says "TLS exclusions don't work in DPI mode for this app" because both are true.  But rather than raising two separate issues for Web Exceptions and TLS exclusions, my recommendation raise a single issue for the app in DPI mode.

  • In reply to Michael Dunn:

    Michael Dunn

     

    Web exceptions also apply in DPI mode.  Your app/website/client/whatever does not work in DPI mode.  Do not assume that the problem is because of web exceptions.  Raise it as a bug in DPI mode, don't raise as a bug in Web Exceptions.

     

    I didn't assume anything, I was merely describing the behavior that I am seeing. A certain web exception does not seem to apply in DPI mode. The second bug you want me to raise ("TLS exclusions don't work in DPI mode for this app") is not what I am seeing. I have no TLS exclusions in place for that app.