Give the ability to use Application Objects on SSL/TLS Insepction Rules.



First of all I don't know If It's possible, or If It will be on the future.

Now on v18 EAP 3 is already possible to use application objects on SD-WAN Rules, so - Giving the ability to use Applications Objects for SSL/TLS Inspection would allow a much easier maintenance on XG, as there's a lot of applications such from Google that dislikes being MITM.

The new SSL/TLS Widget is pretty handy for creating exclusions, but the idea here is being able to do as above, giving at the same time, the ability to create multiple exceptions, even before the certain applications is used - and It's shown as errors in the widget - so there's no need to be constantly creating exceptions from there (widget).


At stated before, is It possible? Or we will be able to see this on v18.5 or v19?



  • The problem is that many application detections cannot occur within the first packet - which is when the system needs to make the decision on whether to do decryption or not.  By the time we know that a particular TCP stream is a specific application, we cannot back out of the decryption.

    Application as a criteria for selecting a rule is very difficult.  That is why, for example, you cannot select a firewall rule based on application.


    Synchronized Applications are a little different in that we get information out-of-band from the endpoint about what the application is.  Even so we are running into issues right now where we are finding out too late.

    I would not get your hopes up that we get non-Synchronized Applications added as selection criteria for SSL/TLS Inspection Rules.