HTTPS Inspection rulebase execution consists of two steps:
- Matching the connection against the rulebase
- Calculating the action that should be performed
Calculation is done according to the matched rule, blades defined on the matched rule and exceptions. So, there is a possible scenario, when the matched rule requires INSPECT, but as a result of Step 2, the action was changed to BYPASS.
In such case, HTTPS Inspection log is sent with data from the matched rule, but the action in the log will be BYPASS.
Example for such scenario: Admin has defined one rule in HTTPS Inspection Policy - "Any Any https Inspect IPS Log" and added 10.1.1.0/24 net to Network Exceptions in IPS blade. User, whose IP is 10.1.1.2 surfs to some HTTPS site.
HTTPS Inspection Rulebase execution:
- The connection was matched to the rule with action INSPECT
- IPS is the only active blade on the matched rule, but the connection is in exception for IPS blade, therefore the updated action is BYPASS.
Performed action: SSL is not terminated, and HTTPS Inspection log with data from the matched rule, but BYPASS action was sent.