Troubleshoot DPI-SSL connections
Arkwright
All-Knowing Sage ✭✭✭✭
There are lots of ways to enable or disable DPI-SSL for any given connection: zone-level, object include/exclude in DPI-SSL settings and access rule.
How can I work out if any given connection is inspected? I am trying to troubleshoot a scenario where a connection should not be inspected but screenshots from customer show the firewall's DPI cert.
Category: High End Firewalls
0
Answers
"How can I work out if any given connection is inspected?"
IIRC the UI doesnt provide any indicator of DPI SSL in the connection monitor or elsewhere unfortunately, so it really becomes a manual process.
Work your way from the Zone setting, to access rules, to exclusions. Temporarily disable DPISSL at each step and verify the functionality changes with the end user.
Thats probably as good as its gonna get.
I typically go to the DPI-SSL page, then go to the tab "Common Name", and then hit "show connection failures". From the list, I can then exclude specific URLs from DPI.