cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
678
Views
0
Helpful
2
Replies

Identity Policies and URL Category

FredrikW73
Level 1
Level 1

If I go into this settings page on the WSA: Web Security Manager/Identification Profiles/<specific profile>/Membership Definition. I find this statement in the bottom:

"The advanced options may be protocol-specific. For instance, user agent strings are applicable only for HTTP and decrypted HTTPS. Similarly, URL Categories, including Custom URL Categories, are not applicable for transparent HTTPS (unless decrypted). When advanced options that do not apply to a protocol are selected, no transactions in that protocol will match this Identity, regardless of the protocol selection above."

 

Why is URL Categories not applicable? It is perfectly fine to match on URL Category in the Decryption Policies why is this not OK in the Identification Policies?

2 Replies 2

Its poorly written, note the piece in parenthesis..." (unless decrypted)"

 

If you aren't decrypting, it can't see them to add them to an Identity which then has policies applied to it... 

 

So if you're going to use URL categories to apply policies to, you'll want encryption enabled.

"If you aren't decrypting, it can't see them to add them to an Identity which then has policies applied to it... "

 

But you do not have to decrypt the request to find out the URL category of the destination.

You can use the SNI and CN (in server cert) from the TLS handshake to identify the destination.

That is why the Decryption Policy can take a decision to decrypt or not based on the URL category

even before decrypting. Why is Identification profile decision any different?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: