My challenges with TLS/SSL Inspection

Hi there,

I am using v18 EAP2 now for a few weeks at home (best lab :D) and have some weird happenings.

 

1. I am using Google home speakers, which have trouble connecting/answering questions every now and then, only working after asking twice. After building an exception for all speakers it is working again. It is hard to troubleshoot, as all SSL errors were fixed and no other security features are enabled in the firewall policy rule.

2. I am using Threema, a secure instant messaging client on mobile phones. This one is unknown via app control, so there is no catergory and therefore no way to build an exception for it. As there are no URLs communicated for it I am not able to except anything - Fun fact: Threema is working with messaging and stuff, but sending pictures is not possible. After switching wifi off the file is send immediately. Same here: No other Security Features are enabled. In SSL/TLS log you see a connection to blobp-upload.threema.ch. I added it to my Local exception list but it is still not working. How to troubleshoot it further?

 

Regards
Stefan

Parents
  • Hi Stefan,

    you can setup a rule that allows your speakers etc only out without using https scanning or TLS/SSL DPI. I think that would be a better solution rather than trying to setup exceptions which add complexity to the debugging process. If you set the initial rule to allow any service then you can see what is being used in logviewer and then restrict/improve security by only allowing that rule to use those ports.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Ian,

    I tried that before but is not working correctly.

    Now I disabled SSL/TLS decrypting (via inspection settings) and everything is working again without any problems.

     

    So my experience: Troubleshooting is very hard if you are using SSL/TLS inspection, even if nothing is decrypted.

     

    Right after disabling, what is the most compatible way which should not produce any errors? SSL/TLS with decryption profile 'Maximum compatibility' is causing a lot of trouble in my network. Is there another, maybe not so strict way?

     

    Regards

    Stefan

  • Hi Stefan,

    if you are using a firewall rule that does not have any boxes ticked in the WEB proxy orTLS/SSL then your traffic is going out another firewall rule. 

    I have firewall rules that do not use TLS/SSL inspection for some of my IoT devices that do not like or understand inspection.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hi Stefan,

    if you are using a firewall rule that does not have any boxes ticked in the WEB proxy orTLS/SSL then your traffic is going out another firewall rule. 

    I have firewall rules that do not use TLS/SSL inspection for some of my IoT devices that do not like or understand inspection.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data