Results 1 to 5 of 5
  1. #1
    Untanglit
    Join Date
    Aug 2019
    Posts
    20

    Default SSL Inspector IGNORED sessions

    My understanding is that IGNORED sessions in SSL Inspector are essentially allowed through unchanged as if the SSL Inspector were turned off - Is this accurate?

    If so, any ideas why sites like HBO, NetFlix, etc. will work with SSL Inspector turned off but then fail with SSL Inspector turned on but those same sites set to IGNORE?

  2. #2
    Untangler
    Join Date
    Jul 2018
    Posts
    32

    Default

    Some sites which require TLS 1.3 can't have their traffic inspected at all and you may need to create 'ignore' rules for those sites. Before doing that, be sure that the device you're testing from has had the NGFW's root certificate authority installed and that there's nothing missing from the certificate itself.

    To install the root CA, download it from Config > Administration > Certificates or point the device's browser to https://internal_interface_IP/cert

    To verify that the certificate is correct (and fix it if it isn't), refer to this article: Regenerating the SSL Server Certificate on NGFW

  3. #3
    Untanglit
    Join Date
    Aug 2019
    Posts
    20

    Default

    Thanks @gravenscroft - server cert regen did the trick. Really appreciate the help and so far, Untangle seems to be a pretty amazing piece of software...Thanks again...

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,119

    Default

    Beware though... TLS 1.3 was at 33% adoption last year, I have no illusion that's slowed down. So every day that goes by... there's one more site that can't be inspected.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untanglit
    Join Date
    Aug 2019
    Posts
    20

    Default

    Thanks @sky-knight - and actually, I spoke too soon. While a couple of the sites did end up working, several others such Amazon Prime, Hulu, etc., still fail despite having IGNORE rules for them. But, as soon as I turn off SSL Inspector, the issue goes away.

    I read that several folks who have encountered this same issue opted to have their streaming device skip SSL Inspector altogether but my issue is via web-browser and as such, there is a lot of non-streaming related traffic that we would like to inspect.

    So I'm wondering if there some issues with IGNORE sessions...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2