HTTPS Inspection on Locally Managed 700/910/1400/1200R appliances
Table of Contents
This article outlines some recommendations and best practices for easy HTTPS Inspection deployment and use in locally managed SMB appliances.
HTTPS inspection is supported in locally managed 700/1400/1200R appliances since R77.20.70.
To enable SSL inspection on your device, go to Access Policy -> SSL Inspection page, and choose one of the following options:
When SSL traffic inspection is configured, Security gateway performs an inspection on outbound traffic over HTTPS protocol. Default ports for HTTPS inspection:
To add additional ports for HTTPS inspection, go to Users & Objects -> Services -> HTTPS service settings or find the parameter Additional HTTPS ports in the Device -> Advanced Settings page for additional proxy ports.
An administrator may want to bypass certain categories or networks from SSL traffic inspection based on the following considerations. The common ones are presented in the policy page to simplify configuration.
- Regulation / Privacy - Some countries may forbid SSL inspection for categories such as Finance, Government and Health. There may be privacy and legal regulations on the use of this feature depending on the country in which you are located. Review your local laws and regulations.
- Deployment - A Host that did not install the Gateway's CA as trusted might experience connectivity issues. This might be a common scenario with hosts behind a guest wireless network for example, which is why those are bypassed by default.
Note: only a network assigned to Separate network will be bypassed.
- Performance - You can bypass categories like streaming to reduce performance impact.
- Well known update services - The gateway includes build-in well known update services that are considered safe. The default policy is to bypass traffic to those services.
Bypass policy can be based on categories and custom applications. It is not possible to base bypass policy and exceptions on specific built in applications (from Application & URL filtering service updates).
To add additional categories to bypass due to various considerations like the ones mentioned above, select the desired categories in Bypass other categories and sites in the Policy page.
To configure a manual exception to bypass a specific source/destination/port, add an exception in the Exceptions page.
Note: when using custom applications in bypass policy (and exceptions) the URLs used to define the application should be based on information from the certificate, which is not always consistent with the URL used to reach the website in the browser. Refer to sk113935 for more details.
The same applies for custom applications used in access policy rules when HTTPs categorization is configured instead of SSL traffic inspection.
Manual exceptions can be configured if there is a need to bypass a specific source/destination/service from SSL traffic inspection (for bypass of categories or specific custom application, use Bypass other categories and sites mentioned above).
When configuring manual exceptions service should be set to a specific custom service or HTTPS and not to Any to avoid additional performance impact (of performing SSL inspection related operations on all ports).
Note: certificate warning may appear even for traffic that was configured to be bypassed if you have a manual exception for category in the Exceptions page
To avoid connectivity issues and warnings on inspected connections, all hosts behind the gateway must install the gateway CA certificate.
Certificate installation varies according to the OS. To learn how to install the certificate in your machine, see your OS vendor instructions.
On Windows PC:
- Download the CA certificate from the Web UI and install it manually in every host.
- Click the file and follow the Wizard instructions to add the certificate to the Trusted Root Certification Authorities repository. (This is not the default repository in the Certificate Import Wizard.)
To distribute the certificate to a large group of users, use GPO or group policy.
Installing CA on mobile phones might not apply to some of the installed applications that use their own trusted CAs repository. In such a case, you must add a bypass exception to avoid connectivity issue.
SSL inspection uses the existing internal CA by default. To use your own certificate, you must replace the internal CA.
To replace the internal CA:
- Go to Device -> Certificates -> Internal Certificate
- Click the "Replace Internal CA" button to upload a CA certificate file that includes the private key to be used by the gateway to sign certificates with the uploaded CA.
- Enter the private key password that was used when the CA was created.
To check if SSL traffic is inspected or bypassed, it is advised to check the two check-boxes:
- Enable inspect logs
- Enable bypass logs
Note: by default those checkboxes are disabled to avoid excessive logs. They are usually not needed and should only be used when troubleshooting SSL inspection related issues since allow/block logs will be generated by the relevant blades for SSL traffic regardless of this configuration.
Note: some guidelines in the related solutions may be different for locally managed SMB appliances.