Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2301
Views
5
Helpful
5
Replies

SSL decryption only on URL filtering blocked sites

draganzec
Level 1
Level 1

‎01-17-2018 04:41 AM - edited ‎02-21-2020 07:09 AM

Hi,

we made a URL filtering rule (to block some URL categories) and set HTTP response page. And it is working ok.

 

But in order to show users a response page when they are blocked accessing HTTPS site, SSL decryption needs to be activated (so manual says).

 

We decided not to use SSL decryption due to an impact to traffic speed, but nevertheless we would like HTTPS response page.

 

Is there an option to activate SSl decryption only on URLs that are in our URL filtering block rule?

As far as I understand if we block URL with URL filtering, it won't even come to SSL decryption part.

 

Thank you.

 

Br,

Dragan

Labels:
5 Replies 5

yogdhanu
Cisco Employee
Cisco Employee

‎03-15-2018 12:59 PM

Hi

 

SSL decryption has to configured to show block page for https sites.

SSL decryption would happen first and then the URL filtering rule would be applied. If you are concerned with performance. You can create a rule with specific URL categories (which are supposed to be blocked) in SSL policy to be decrypted and rest all goes to default rule which is to do not decrypt.

 

Thanks

yogesh

0 Helpful

draganzec
Level 1
Level 1
In response to yogdhanu

‎03-19-2018 04:47 AM

Hi,

thanx for replying.

We did create a rule with specific URL categories (which are supposed to be blocked) in SSL policy to be decrypted and applied this SSL policy to main Access Control policy.

 

But decryption was applied to all users on the network and cuts our https traffic, even we put only one IP address of test PC inside networks inside SSl policy settings.

 

Br,

Dragan

0 Helpful

jdworak14
Level 1
Level 1
In response to yogdhanu

‎05-18-2018 08:53 AM

I'm interested in doing this too and have a ticket open with the TAC, but they cannot figure this out.  Do you know of any documentation or examples in doing this?

I have an ACL created today that blocks access to "Personal Storage", for example. 

 

Personal Storage sites (for example  http://box.com and https://www.box.com).  When you go to the http site i deliver a http block page.  Nice!

 

I then tried to add a SSL policy from my ACL policy and deploy but it will not deploy. My SSL policy is very simple and calls for re-sign of the cert using certs from our CA. 

I'm trying to find any documentation or examples from a working setup on how the SSL Policy should be setup.  The online documentation is horrible. 

Thanks for any feedback.

0 Helpful

draganzec
Level 1
Level 1
In response to jdworak14

‎05-21-2018 12:31 AM

Hi,

unfortunately I must agree with you regarding online documentation.

We are still not able to resolve this issue and still have only HTTP response set.

 

Br,

Dragan

0 Helpful

saifuddin.miyaji
Level 3
Level 3
In response to draganzec

‎05-23-2018 05:00 AM

We are facing the similar issue. Configured SSL decryption for the URL filtering of the https sites. But the behavior is very weird. The same user is able to open site-a using IE and getting blocked using Chrome. For few other sites, its vise versa. We are having a second thought if buying Firpower was wise decision.

 

Please advise.

 

Regards

Saif

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card