Support Center > Search Results > SecureKnowledge Details
HTTPS Inspection logs are misleading
Symptoms
  • HTTPS Inspection logs show action as "Bypass", but in the HTTPS Inspection rule-base the action is "Inspect".

  • In HTTPS Inspection log, the "Action" field indicates, which action was actually performed on the connection. In some circumstances, there could be mismatch between action in log and action in matched rule.

    For example: a connection was matched on rule with action "Inspect", but the connection is in exception on all blades defined on the matched rule, thus the actually performed action was "Bypass".

Cause

HTTPS Inspection rulebase execution consists of two steps:

  1. Matching the connection against the rulebase
  2. Calculating the action that should be performed

Calculation is done according to the matched rule, blades defined on the matched rule and exceptions. So, there is a possible scenario, when the matched rule requires INSPECT, but as a result of Step 2, the action was changed to BYPASS.

In such case, HTTPS Inspection log is sent with data from the matched rule, but the action in the log will be BYPASS.

Example for such scenario: Admin has defined one rule in HTTPS Inspection Policy - "Any Any https Inspect IPS Log" and added 10.1.1.0/24 net to Network Exceptions in IPS blade. User, whose IP is 10.1.1.2 surfs to some HTTPS site.

HTTPS Inspection Rulebase execution:

  1. The connection was matched to the rule with action INSPECT
  2. IPS is the only active blade on the matched rule, but the connection is in exception for IPS blade, therefore the updated action is BYPASS.

Performed action: SSL is not terminated, and HTTPS Inspection log with data from the matched rule, but BYPASS action was sent.


Solution
Note: To view this solution you need to Sign In .