Which is the difference between exclusions to SSL/TLS inspection rules under rules and policies and under Web Menu?

Exclusions to SSL/TLS inspection rules

XG Firewall provides default exclusion rules for websites and applications. These rules are positioned at the top of the SSL/TLS inspection rule table and are evaluated first. You can’t change their sequence in the rule table.

To the default exclusion rules, add only applications and websites that you don’t want to decrypt in any SSL/TLS inspection rule.

To exclude traffic from decryption using other criteria, you can create additional rules with action set to Do not decrypt and place them immediately below the default rules.

Exclusions by website or category: Contains the following exclusion lists:
  • Local TLS exclusion list: The list is empty by default. You can’t delete it from the exclusion rule. You can add domains to this list based on troubleshooting outcomes. Websites excluded through the control center or the log viewer are also added to this list. To edit this list, go to Web > URL groups.
  • Managed TLS exclusion list: Contains domains known to be incompatible with SSL/TLS inspection and is updated through firmware updates. You can, however, remove the list from the exclusion rule.

Exclusions by application: The list is empty by default. To add to the list, select the exclusion rule and add the Synchronized Security applications. Applications excluded through the control center are also added to the list.

 

Please document the differences between this new tab/option from exceptions available in Web > exceptions. Which one takes precedence?

Thanks

  • The TLS exclusion lists only apply to SSL/TLS Inspection rules and not to Web Proxy.

  • In reply to PMStuart:

    Can you explain a little bit deeper?

    For example, at the moment, I have web proxy exceptions for Skype, otherwise with decrypt and scan and application control where SKYPE is allowed, skype calls do not work. Do I need to move these exceptions to new SSL/TLS exceptions?

    Also, make sure to document in the PDF or online doc.

    Thanks

  • In reply to lferrara:

    If you go to a firewall rule and scroll to Web Filtering - on the right hand side under proxy you will see a link. Does the explanation in the popup help you?

     

    Bottom line, if you select to use the Web Proxy HTTP/S traffic on Port 80/443 will be handled by the proxy and therefore your Web exceptions. Any SSL/TLS traffic on other ports will be handled by SSL/TLS Inspection policy and the exclusions. If you elect not to use the proxy all HTTP/S traffic on ANY port will be handled by the TLS/SSL rules and the exclusions there will apply. If it wasn't apparent the TLS/SSL Inspection rules are ordered and processed from top down. So if you want to put in your own exceptions implement a 'do not decrypt' rule above any 'decrypt' rules but below the Global Exclusions.

     

    That help?

  • In reply to PMStuart:

    Not really. I am confused.

    To use the new SSL/TLS, in the firewall rule > web section, I do not need to select any web proxy options?

    Sorry but maybe it's me!

  • In reply to lferrara:

    No, the new XSTREAM SSL engine is always active, and controlled by the rules. The option for Content Scanning adds additional capabilities for detection of malware if you want to do so.

     

    If you leave the web proxy options unticked then decryption of SSL/TLS traffic will be handled according to the SSL/TLS rules. If you have no rules, then no decryption will be attempted.

     

    For testing or initial deployment purpose it might be helpful to create a TLS Inspection rule that implements a 'do not decrypt' action, but still logs the connections - this way you get visibility under TLS/SSL Inspection in the logviewer and Control Center.

  • In reply to PMStuart:

    Stuart Hatto

    No, the new XSTREAM SSL engine is always active, and controlled by the rules. The option for Content Scanning adds additional capabilities for detection of malware if you want to do so.

     

    If you leave the web proxy options unticked then decryption of SSL/TLS traffic will be handled according to the SSL/TLS rules. If you have no rules, then no decryption will be attempted.

     

    Ahh! - That would be so great, if you could hint that, just like you do now in Notification Settings:

  • In reply to twister5800:

    The Firewall Part of SSLx / web Proxy is not final yet.

     can maybe show some more inputs here. 

  • In reply to PMStuart:

     

    please provide some examples with proper firewall rules, what to tick inside the firewall rule for both web proxy and ssl/tls decryption.

    Thanks

  • In reply to LuCar Toni:

    I put some time into this, because it could be confusing in the current state for new people in V18. 

     

    It is quite easy, if you understand the underlaying services. 

     

    The firewall rule will simply "allow" the service. In the firewall Rule you can activate the Web proxy (of V17.5). This proxy is acting on Port 443/80.

    The new SSLx Engine is working on all Ports, so to speak it can actually scan all applications, ports etc. 

     

    If you decrypt all ports with SSLx (the third part), it will do it on all ports. 

    If some traffic is decrypted on port 443, it will "automatically" give this traffic to the build in proxy and all configuration matching in proxy will take care of this traffic (can i open google.de etc.).

    If you activate the configuration on the right of the firewall policy, it will activate the proxy and prioritize the traffic for 443/80. It will not be stream based, instead it is a actual proxy.

     

    So most likely: create a SSLx rule for LAN to WAN.

    Set your Web proxy rule (allow traffic etc.) in the drop done rule and allow the traffic - You should be fine. 

     

    If you observe a application / service / etc. not working with decryption, start to investigate the log viewer (new option --> TLS). 

  • In reply to lferrara:

    Here is my very simple setup. 2 Global Exclusion rules, 2 Do Not Decrypt rules for devices that cant import the appliance cert, and 2 decryption rules for everything else.

    My Firewall does not have any web proxy selected, but I am scanning for Malware in the web streams.

     

  • In reply to PMStuart:

    Much better with a real example!

    Thanks.

    I guess you should better document in the doc and somewhere else, because for me, it was not clear at all!

    Let's see other users' feedbacks.

  • In reply to PMStuart:

     

    Here the test I did:

    Linkedin does not open at all.

  • In reply to lferrara:

    Exclude from decryption did not help!

  • In reply to lferrara:

    the 0:443 thing is a known issue we are working to resolve.

     

    Not sure why you can't get to LinkedIN - hate this phrase personally - but it works here and I have no exclusions for it.

  • In reply to lferrara:

    Can you give a bit more detail:

    - How are you trying to access LinkedIn? From a browser on a PC or Mac, or from an iPhone or mobile device?

    - Are you sure that the device/browser/app is trusting the re-signing CA on your firewall?

    - Are you sure it's not being blocked by your web policy "Deny ADS"?

    - What entries do you see in the Log Viewer relating to linked in - using the detailed view of the log viewer, you should see Firewall, SSL/TLS and Web filter logs relating to the application definition "LinkedIn Website"?