Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 23 replies
  • Subscribers 44 subscribers
  • Views 9997 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DPI vs. Proxy exceptions

cryptochrome

In v18, with the new decryption policy, you can use exceptions by pointing to a URL group. Does this mean if I use DPI decryption (turn off proxy), the exceptions configured previously under Web -> Exceptions no longer apply? 



This thread was automatically locked due to age.
Parents
  • 0

    The Web > Exceptions apply to both proxy mode and DPI mode and can turn off HTTPS Decryption, certificate checks, Policy checks, AV and more.  It applies to web traffic.

    The TLS Inspection Rules apply to DPI mode and can only turn off HTTPS Decryption and certificate checks.  It applies to any type of SSL/TLS traffic.

     

    There is a bunch of new integration into the log viewer and dashboard to make it easy to add to the URL Group that is used by the TLS Inspection Rules.

     

    In WebAdmin we have tried to make a note of things that only work in proxy mode and not DPI mode (for example SafeSearch).  Web Exceptions work in both.

  • 0 in reply to Michael Dunn

    Thanks Michael.

    Does it gonna to change in the next future?

    In this way, users need to update and keep update the same objects inside 2 different lists.

    So image the user is not able to open a website and he/she is using DPI, then the user puts the site inside the TLS URL group but the website still does not open. So the user puts the same websites (using regex this time) into exceptions and ticked all checkboxes and finally the website works.

    The user to keep the things clean on XG, needs to understand first who is responsible for the blocking traffic, try and then clean the portion that is not responsible.

    Sorry, but for the moment, logs do not help a lot. I would like to have another extra checkbox into web exceptions for skip DPI scanning or something like that to have a single section to deal with.

    Also, I prefer regex to url or subdomains, as regex are more flexible to filter/bypass traffic.

     

  • 0 in reply to lferrara

    No plan to change.  If you are only dealing with Web traffic (80/443) and you want a single source use Web Exceptions.  They are more flexible with RegEx and can exclude more than just HTTPS scanning.

     

    The URL group for TLS/SSL Inspection Rules may be easier for some people who don't know RegEx or want a simpler way to exclude traffic from TLS decryption when using DPI mode.  They are not a true "exception".  It is a bit like creating a higher level firewall rule that treats traffic to a specific destination differently.  We just created one out of the box and give a shortcut to using it.

    Also remember - TLS decryption and DPI scanning are not the same thing.  You cannot say "I want to create a Web Exception that uses DPI to find out the destination domain and then use that information to exclude the connection from DPI".  You can only say "I want to create a Web Exception that uses DPI to find out the destination domain and then use that information to exclude that connection from TLS decryption".

  • 0 in reply to Michael Dunn

    This is a bit complicated to understand for “normal users”.

    A better description should be provided inside the ui itself.

  • 0 in reply to lferrara

    lferrara said:

    This is a bit complicated to understand for “normal users”.

    A better description should be provided inside the ui itself.

    Uncomplicated answer:  If are used to creating Web Exceptions, continue creating web exceptions.

     

Reply Children
Unfiltered HTML