Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can someone explain SSL/TLS inspection rules vs. Web Exceptions?

Explain like I'm 5 (maybe a 5 year old is smarter at this point, who knows)...

We have SSL/TLS inspection rules under "Rules and policies."  One of these rules is the built in "Exclusions by Website, which references both a Local and Managed TLS exclusion list.  Makes sense.

Then we have Exceptions under "Web," where we can also exempt URLs from HTTPs Decryption.

How do these two work together?  If I have a Web Exception for www.google.com, and www.google.com is also in the Local TLS exclusion list, is that essentially the same thing?

Thanks,

Casey



This thread was automatically locked due to age.
Parents
  • It's my impression that the Web->Exceptions is a high-level list for really global control that can override many different steps of the firewall processing in one place, using wildcard expressions. Mainly meant for global-ish sites like Apple, Microsoft, your corporate site, key utility/security software sites.

    The SSL/TLS inspection rules look for exact matches of host or domain, and only affect that aspect. So more specific to the TLS system itself (and you can turn off all TLS decryption entirely from that page.)

    You can also turn off or on TLS inspection per firewall rule, so I envision the control hierarchy as (in order): if the firewall rule says yes and the TLS Policy says yes (and TLS is turned on globally), and the Exceptions don't say No: do it. Otherwise, if any point along the way says "no", don't do it.

  • Thats as reasonable as I have seen, but I find it odd that it isn't spelled out anywhere.  Even chat support didn't seem to really know.

  • Essentially one is the service, the other one is the entire Engine. 

    So: DPI Exceptions means, we are not "touching" the decryption. 

    Web Exception means, if the we touched the traffic and forwarded it to the Proxy, the proxy will not do "something" on it. 

    __________________________________________________________________________________________________________________

Reply
  • Essentially one is the service, the other one is the entire Engine. 

    So: DPI Exceptions means, we are not "touching" the decryption. 

    Web Exception means, if the we touched the traffic and forwarded it to the Proxy, the proxy will not do "something" on it. 

    __________________________________________________________________________________________________________________

Children
No Data