01-27-2022 06:28 AM
From what I can tell there are three methods to exclude traffic from decryption:
1) Custom URL Category - Requires a Commit to the device group when adding URLs
2) SSL Decryption Exclusion List - Must be added to each Firewall template and then Commit
3) External Device List - edit text file on external server
Seems to me that the EDL is the best/easiest way to quickly exclude URLs as it can be done on the fly and without a Commit.
Please correct me if I'm missing something and also looking for how other folks are doing this.
Thank you,
01-27-2022 07:58 AM
I guess it really depends on how often you are updating the exclusion list and how fast you need that list to populate. An EDL is faster to update and is going to work fine in the majority of cases, but you better have a redundant system to service that EDL behind a load balancer to keep everything working. You wouldn't want the system servicing this list to go down and remove all of the exceptions you have created.
I generally have both a permanent exception list configured as custom URL categories, and then an EDL configured for temporary exclusions for each organizational group. This way the permanent exclusions are directly linked in the configuration itself and I don't have to worry about the EDL servicer going down and the cache clearing, but I can still quickly add an exception when one is needed. The EDL clears each entry after 48 hours, while the custom URL listings are all considered a permanent or long-term exception.
No one way is really the "correct" way and they all have some considerations to take into account. Generally though my EDL lists are actually dynamic entries that won't stick around long-term, but temporary things. That doesn't mean that anyone using an EDL for all of their decryption exclusions are wrong, it's just not how I've decided to do things. Either method works without issue, the EDL method just has some additional considerations you have to account for.
01-27-2022 07:58 AM
I guess it really depends on how often you are updating the exclusion list and how fast you need that list to populate. An EDL is faster to update and is going to work fine in the majority of cases, but you better have a redundant system to service that EDL behind a load balancer to keep everything working. You wouldn't want the system servicing this list to go down and remove all of the exceptions you have created.
I generally have both a permanent exception list configured as custom URL categories, and then an EDL configured for temporary exclusions for each organizational group. This way the permanent exclusions are directly linked in the configuration itself and I don't have to worry about the EDL servicer going down and the cache clearing, but I can still quickly add an exception when one is needed. The EDL clears each entry after 48 hours, while the custom URL listings are all considered a permanent or long-term exception.
No one way is really the "correct" way and they all have some considerations to take into account. Generally though my EDL lists are actually dynamic entries that won't stick around long-term, but temporary things. That doesn't mean that anyone using an EDL for all of their decryption exclusions are wrong, it's just not how I've decided to do things. Either method works without issue, the EDL method just has some additional considerations you have to account for.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
