inbound ssl decryption - multi cert to single ip

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

inbound ssl decryption - multi cert to single ip

L3 Networker

Hoping to get a little feed back regarding inbound ssl decryption.

 

We have beeing doing inbound ssl decryption to our public presense on version 8.0.7.

 

Things have been going realitivley well but I am running into some issues and not sure if I can fix it at the firewall level. Where I am running into issues is when we have multiple certs applied on a load balancer to a single ip which is behind the firewall. 

 

example:

ip address 1.2.3.4 (following sites all resolve to this ip this single ip addresss)

 

decrypt rule 1 = use cert on lb (wildcard cert *.domain.com) to 1.2..3.4

www.domain.com, bob.domain.com, ie.domain.com (all using *.domain.com) - decrpyting as expected no issue

 

decrypt rule 2 = use cert on lb (*.domain1.com) to 1.2.3.4

domain1.com, cars.domain1.com - no decryption happening, traffic logs show session end reason of decrpyt-error, no url traffic logs (for https, if site is http url logs will appear as expected)- but I can get to the website as normal. 

 

Also other sites (www.domain3.com, domain4,com, etc) on this  ip 1.2.3.4 with a different domain and no decrypt rule have same symptoms as decrypt rule 2.

 

My question is there a way to decrypt to a single ip using multiple certs? Also is there an explanation behind why https url logs do not show when decryption erros occur in traffic logs?

 

All testing has been completed with IE and Chrome

 

4 REPLIES 4

Cyber Elite
Cyber Elite

@clewis1,

The rules are all analyzed in a top/down manner; therefore the first decryption policy that matches the source and destination is going to be the decryption policy that is applied. Unless you use the source as a differentation between the policies then something like this is not going to work. 

thanks @BPry.

 

I figured the decryption follows the top/down. Do you have any thoughts why the traffic does not generate url any https logs for the unencrypted sites on this host when the decrpyt errors occur? 

L2 Linker

Add custom URL category (for single domain) in decryption policy.

  • 3274 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!