Next Generation Firewall (NGFW)

 View Only
Expand all | Collapse all

SSL deep inspection requires many exceptions - normal?

  • 1.  SSL deep inspection requires many exceptions - normal?

    Posted Mar 17, 2022 10:17 AM
    Hi,

    We recently enabled SSL deep inspection for HTTPS traffic, and we frequently encounter Websites that would not work and need an exemption inside the deep-inspection profile via wildcard-fqdn object. 

    This includes sites like linkedin.com. No problem when adding them via wildcard-fqdn to the exceptions list, or by adding more web-site categories as well.

    Is this normal / expected? It appears we have to exempt a lot of major sites to work with deep inspection... 

    Any comment / hint / best-practice advise is very welcome.

    Carsten


  • 2.  RE: SSL deep inspection requires many exceptions - normal?

    Posted Mar 18, 2022 07:53 AM
    I've encountered the same thing but the vast majority of sites work fine.  I'll whitelist sites like backup services, banking, or other sites that use HSTS but after a few weeks and getting over the initial hump, I rarely have to make edits.