SSL inspection - excluding a website from ssl inspection
All Replies
-
Hi @phphil
The reason of this situation should come from server is working on unsupported cipher suite.
So SSL inspection unable to exclude it.
Currently we known “AESGCM” doesn’t support in 4.38, but it will support in future release this year.
For make sure which cipher suite is working on server, you can capture the packets and find “Server Hello” packet.
It will list which cipher suite is working.
0 -
Many thanks for your reply, it was very helpful.I was able to capture the "Server Hello" and indeed the GCM is there.That this is an issue on the zywall firmware?There is there anything I can do in order to enable SSL inspection AND allowing this specific website to work correctly, without loosing security everywhere?I would really avoid to touch the following parameters:0
-
Hi @phphil
The SSL inspection function will exchanging the certificate between Server and client after TCP three-handshake.
But some of server support QUIC which working on UDP443.
You can drop UDP443 port by policy control rule prevent the web traffic forwarded to client without SSL inspection protecting.
The AESGCM will support in future release this year.
0 -
You can drop UDP443 port by policy control rule prevent the web traffic forwarded to client without SSL inspection protecting.I'm sorry i'm not really understanding, I should create a Configuration > Security Policy > Policy Control rule with action=deny for request leaving our network and going to this specific websiteBut we already have a similar rule which drop all connections on UDP443 in order to disable QUIC protocol, why it doesn't allow traffic on this website when SSL inpection is on?thank you and Best Regards
0 -
Hi @phphil,
You can add one policy to bypass those unsupported cipher suite site, and move this rule to priority one.
In this way, there is no need to change SSL inspection profile settings.
e.g. Create a security policy and move to priority 1.
From : LAN
To : any
Source : any
Destination: Apply unsupported cipher suite site FQDN object group
Action : allow
0
Categories
- All Categories
- 347 Beta Program
- 2.1K Nebula
- 114 Nebula Ideas
- 77 Nebula Status and Incidents
- 5K Security
- 44 USG FLEX H Series
- 246 Security Ideas
- 1.2K Switch
- 65 Switch Ideas
- 901 WirelessLAN
- 33 WLAN Ideas
- 5.8K Consumer Product
- 204 Service & License
- 326 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.8K FAQ
- 831 Nebula FAQ
- 401 Security FAQ
- 219 Switch FAQ
- 190 WirelessLAN FAQ
- 45 Consumer Product FAQ
- 136 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 71 About Community
- 61 Security Highlight