Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL/TLS Rules

Hello,

I'm testing the new features of V18 and there is one thing I don't understand.

If I uncheck all web securities on a firewall rule that matches for an IP host, the SSL decryption even decrypts and blocks traffic for unsecure SSL sites...

 

A I missing something?

Thanks.



This thread was automatically locked due to age.
Parents
  • Because your SSLx Rule hits? 
    SSLx has no relation what so ever with Firewall Rule.

    The Firewall Rule specify what to do with Decrypted traffic. 

    But everything else will be dealt with the DPI engine (SSLx). 

    __________________________________________________________________________________________________________________

  • Thank you for your answer, I understand the way it works now.


    But there is a bug the way SSL/TLS Inspection rules work.

    If you specify an IP host group in the "source networks and devices", AND this IP host group is empty, then, ALL the traffic from any sources (even if they should not match this rule) will hit this rule. And then, if I add a host in the IP host group, only this IP host will hit this rule, and all of the other sources won't hit this rule and will hit the rules below this one, and everything works fine.

    The bug is only when the IP host group is empty as source.

    Viken

    XG Certified Architect

    Sophos Gold Partner - Reseller from Lyon, France

Reply
  • Thank you for your answer, I understand the way it works now.


    But there is a bug the way SSL/TLS Inspection rules work.

    If you specify an IP host group in the "source networks and devices", AND this IP host group is empty, then, ALL the traffic from any sources (even if they should not match this rule) will hit this rule. And then, if I add a host in the IP host group, only this IP host will hit this rule, and all of the other sources won't hit this rule and will hit the rules below this one, and everything works fine.

    The bug is only when the IP host group is empty as source.

    Viken

    XG Certified Architect

    Sophos Gold Partner - Reseller from Lyon, France

Children