Despite the fact that I've blocked *.logmein.com and the logmein application, I'm still seeing traffic permitted to logmein.com. On inspecting the traffic log details, I can see that the traffic is being identified in 2 ways:
06/21 13:07:59 THREAT url ssl block-url URL Default Severity: informational Category: Blocked sites URL: *.app03-10.logmein.com/
06/21 13:09:51 TRAFFIC end ssl allow URL Default Bytes: 8630 Packets: 18
Is this because I've got SSL permitted and APP beats URL? I'd expect traffic to be denied if any part of it was being blocked, but this does not appear to be the case.
I'm thinking that SSL Decryption is the only option to stop this traffic as the logmein application is encrypted, or an explicit deny for SSL to loginme.com.
Is this correct?
The rules are applied in a top down fashion - so if traffic matches an allow rule before getting to the deny rule, there will be no further matches. Except of course, if the application or application function changes.
SSL Decryption does happen before the Security Policies are applied - so if the application is inside HTTPs, it will get matched correctly (assuming all other parameters are set correctly for the SSL decrypt to happen).
Just as a note, in case you are using the service column as well - when decrypting, you'll still see port 443 in the logs since this does not change.
Hope this helps?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!