DPI vs. Proxy exceptions

In v18, with the new decryption policy, you can use exceptions by pointing to a URL group. Does this mean if I use DPI decryption (turn off proxy), the exceptions configured previously under Web -> Exceptions no longer apply? 

  • In reply to Bill Roland:

    Bill Roland

    This is a long shot, but I had a problem where an explicit "Don't decrypt" rule was killing an app because I had set the decryption profile to "Block insecure SSL."  I had assumed since the action was "Don't decrypt" that it wouldn't also block the traffic because it didn't like a cipher but I was wrong.  

     

    That's a good idea, but unfortunately not the issue in my case. It is really weird. 

    I have an exception and a decryption rule. When I set the corresponding firewall rule to use the proxy (turn off DPI mode), then the exception does not work unless I disable the decryption rule. Which shouldn't even apply in proxy mode. When I set the firewall rule to DPI mode (and re-enabled the decryption rule), then the exception rule does not work. 

  • In reply to cryptochrome:

    Hi  

    It sounds like you are having an issue.  If you are a paid license user and not a home user, I would suggest that you open up a support request so that it can be looked via connection tracking and debug of DPI.  

    Thanks!

  • In reply to cryptochrome:

    cryptochrome

    I don't necessarily agree that it is too complicated, but I agree that this should be pointed out better in the documentation. Once you understand what is what, it makes sense and isn't hard to understand, but the information about it is missing or not clear enough. So I second the request that the documentation gets a little update on this. 

     

    I have just finished working the the Docs team on getting this (TLS Exclusion Rules and Web Exceptions) better documented in the Help section for SSL/TLS Inspection Rules.  I don't know when you guys will see the update, but it should be clearer in docs in the future.

  • In reply to Michael Dunn:

    Thanks for the update, Michael. I'll take a look once it's available. 

  • In reply to Michael Dunn:

    Thanks Michael, the docs look really good. Except for one thing. In the first link, third paragraph, the docs say:

    SSL/TLS inspection rules do not affect the decryption of traffic handled by the web proxy.

    From my experience, this is not the case. I have one firewall rule which is set to proxy mode and which has web exceptions configured to disable decryption. During my tests, I also added a TLS decryption rule (DPI) that matches that traffic. Traffic is being decrypted, despite the rule being set to proxy mode. If I understand the docs correctly, this should not happen. Is this a bug in v18 or is the documentation not clear enough?

    Thanks
    Sascha

  • In reply to Michael Dunn:

    Special thanks to  and @ for getting this content to our help!

    Wanted to mention to any readers to visit our Feedback on User Assistance group to suggest new content for our online help, startup guides, knowledge base and videos, or tell us how we can improve what we already have!

  • In reply to cryptochrome:

    cryptochrome

    Thanks Michael, the docs look really good. Except for one thing. In the first link, third paragraph, the docs say:

    SSL/TLS inspection rules do not affect the decryption of traffic handled by the web proxy.

    From my experience, this is not the case. I have one firewall rule which is set to proxy mode and which has web exceptions configured to disable decryption. During my tests, I also added a TLS decryption rule (DPI) that matches that traffic. Traffic is being decrypted, despite the rule being set to proxy mode. If I understand the docs correctly, this should not happen. Is this a bug in v18 or is the documentation not clear enough?

     

    I suspect you have a misconfiguration somewhere and the traffic is not hitting what you think it is.  This should not happen, and I'm pretty confident we don't have a bug here.

    If you can reproduce it, can you please start a new thread and give plenty of details.