Site which should be blocked URLF not being blocked after SSL decryption

Reply
L1 Bithead

Site which should be blocked URLF not being blocked after SSL decryption

We are blocking a particular category of URLs (say gambling). When we access the unecrypted site it is blocked as expected. When we add https to the URL and browse we are not blocked.

 

I can see in the logs that access is allowed by the FW, even though it hits a rule with a URLF profile that should block the category. The category for the SSL connection is also correctly listed in the logs indicating that after decryption the site has been identified correctly by URLF.

 

I can confirm that the site is being decrypted because the certificate presented has been signed by the root CA configured in the SSL VPN.

 

Any idea's why this might be the case. Version 6.1.7.

 

Thanks

L4 Transporter

Re: Site which should be blocked URLF not being blocked after SSL decryption

Hey Andrew,

 

Do you mind sharing the website you are browsing to? Or the logs of the issue? I can't say for sure what the cause of the behaviour is at the moment.

 

thanks,

Ben

L1 Bithead

Re: Site which should be blocked URLF not being blocked after SSL decryption

Sure. The web sites are https://www.ladbrokes.com.au and https://www.sportsbet.com.au. Let me hit you up with logs shortly. They dont show much. They just show an allow on the category which should be blocked. they include the rule which is linked to a URLF profile which should block this category.
L1 Bithead

Re: Site which should be blocked URLF not being blocked after SSL decryption

gamblinglog.JPG

 

Log entry.

 

 

L7 Applicator

Re: Site which should be blocked URLF not being blocked after SSL decryption

The action of a security rule will be allow, but the URL filtering log will show the block (if it is blocked). Technically the traffic was allowed, and only when everything was determined would it be blocked.

 

When you click the magnifying glass on that, it should have related logs which include URL filtering logs. Alternatively, you can pull up the same query in the URL filtering logs and it should show you what the verdict was.

 

Cheers,

Greg

Highlighted
L1 Bithead

Re: Site which should be blocked URLF not being blocked after SSL decryption

Problem solved guys.  I did a session with support. The traffic wasn't hitting the rule i suspected (i didn't review the log files thoroughly enough).

 

The sites were  switching to SSL over port 80. This meant the URL rule that specified Application default did match the SSL traffic on port 80. I had to manually add services for 80 and 443 to the URLF rule to ensure that the site would hit the correct rule.

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!