SSL decryption using incorrect security policy

L2 Linker

SSL decryption using incorrect security policy

Hello all,

I am testing out SSL decryption on a few categories.  For now I am using a system generated certificate and it works in decrypting the categories I have selected.  The problem is that once it is decrypted, it doesn't use the proper security policy.  We have AD integration and URL filtering set up between certain groups.  My user ID has elevated browsing privileges but after the session is decrypted it uses the policy I have set up when the firewall doesn't know who the user is so I am getting blocked.  Any idea why it wouldn't use the correct security policy when the log view and blocked page are showing my user ID?



Tags (1)
L7 Applicator

Re: SSL decryption using incorrect security policy

Hi Clint

Can you also include a screenshot of the security policy?

The security policies are processed top to bottom with the first match (not "best" match) being the rule that is used to pass traffic, so if your top rule does not have a source user restriction this would be normal.

have you set that rule to use source user "unknown" or "any" ?



L2 Linker

Re: SSL decryption using incorrect security policy

Here you go.  The rules work fine with no decryption but when it is turned on for some reason it jumps over "Netit".



L0 Member

Re: SSL decryption using incorrect security policy

My guess is that the app is now "web-browsing" due to decryption, but the port is still 443. You're using application-default as the service for the first rule (and I'm assuming "web-browsing" is included in that filter) so that would only match if web was on 80, but I'm guessing that you have port 443 included in the "service-web" service group on the other rule, and "web-browsing" included in "web-services".

L2 Linker

Re: SSL decryption using incorrect security policy

I think you may be correct, sir.  I'll give it a try here shortly and let you know.

Edit: That was it.  Thanks!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!