APP vs URL
cancel
Showing results for 
Search instead for 
Did you mean: 

APP vs URL

L1 Bithead

Despite the fact that I've blocked *.logmein.com and the logmein application, I'm still seeing traffic permitted to logmein.com. On inspecting the traffic log details, I can see that the traffic is being identified in 2 ways:


06/21 13:07:59  THREAT  url  ssl  block-url  URL Default  Severity: informational Category: Blocked sites URL: *.app03-10.logmein.com/

06/21 13:09:51  TRAFFIC  end  ssl  allow  URL Default  Bytes: 8630 Packets: 18

Is this because I've got SSL permitted and APP beats URL? I'd expect traffic to be denied if any part of it was being blocked, but this does not appear to be the case.

I'm thinking that SSL Decryption is the only option to stop this traffic as the logmein application is encrypted, or an explicit deny for SSL to loginme.com.

Is this correct?

1 REPLY 1

L4 Transporter

Hi Robert,

The rules are applied in a top down fashion - so if traffic matches an allow rule before getting to the deny rule, there will be no further matches.  Except of course, if the application or application function changes.

SSL Decryption does happen before the Security Policies are applied - so if the application is inside HTTPs, it will get matched correctly (assuming all other parameters are set correctly for the SSL decrypt to happen).

Just as a note, in case you are using the service column as well - when decrypting, you'll still see port 443 in the logs since this does not change.

Hope this helps?

Thanks

James

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!