- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-18-2018 07:04 AM
Hoping to get a little feed back regarding inbound ssl decryption.
We have beeing doing inbound ssl decryption to our public presense on version 8.0.7.
Things have been going realitivley well but I am running into some issues and not sure if I can fix it at the firewall level. Where I am running into issues is when we have multiple certs applied on a load balancer to a single ip which is behind the firewall.
example:
ip address 1.2.3.4 (following sites all resolve to this ip this single ip addresss)
decrypt rule 1 = use cert on lb (wildcard cert *.domain.com) to 1.2..3.4
www.domain.com, bob.domain.com, ie.domain.com (all using *.domain.com) - decrpyting as expected no issue
decrypt rule 2 = use cert on lb (*.domain1.com) to 1.2.3.4
domain1.com, cars.domain1.com - no decryption happening, traffic logs show session end reason of decrpyt-error, no url traffic logs (for https, if site is http url logs will appear as expected)- but I can get to the website as normal.
Also other sites (www.domain3.com, domain4,com, etc) on this ip 1.2.3.4 with a different domain and no decrypt rule have same symptoms as decrypt rule 2.
My question is there a way to decrypt to a single ip using multiple certs? Also is there an explanation behind why https url logs do not show when decryption erros occur in traffic logs?
All testing has been completed with IE and Chrome
04-18-2018 08:57 AM
The rules are all analyzed in a top/down manner; therefore the first decryption policy that matches the source and destination is going to be the decryption policy that is applied. Unless you use the source as a differentation between the policies then something like this is not going to work.
04-19-2018 09:25 AM
thanks @BPry.
I figured the decryption follows the top/down. Do you have any thoughts why the traffic does not generate url any https logs for the unencrypted sites on this host when the decrpyt errors occur?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!