Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1682
Views
0
Helpful
3
Replies

Passthrough without Decryption Setup

Go to solution
san.carlos
Level 1
Level 1

‎01-28-2016 08:51 AM

WSA S380 v9.0.1-135

 

I have an identity profile for guest users, "Guest", and it is exempt from authentication. Membership is defined by subnets. This works as design and just fine.

I want to exempt the traffic matching this identity profile from decryption, basically allowing to pass through, but so far I have not been able to get it to work. I may be missing something. Here is what I have done so far.

1. HTTPS Proxy is enabled

2. Created a decryption policy and set the policy membership based on the "Guest" identity profile.

3. URL filtering is set to match the "Global Policy", which in the global policy all categories are set to "Monitor"

4. Web Reputation is "Disabled"

5. Default Action is set to "Pass Through"

 

Based on #5 above, I expect the traffic to be allowed to pass through. That is not the case though. A test using this configuration shows that the correct identity profile is applied and the correct decryption policy is applied as well, but decryption still occurs. Furthermore, test and policy traces show the access policy applied is the decryption policy applied, which I think is strange. Why would a decryption policy be applied as an access policy.

 

TIA for any guidance.

 

-Carlos

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tao Yang
Cisco Employee
Cisco Employee

‎01-31-2016 08:54 PM

Hello Carlos,

As default action will only be applied if WSA could not match any in your URL filtering and Web Reputation.  In your current settings, you only need to create a custom category and then add it into your decryption policy and then set it as "Pass Through".

Hope it helps. 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Handy Putra
Cisco Employee
Cisco Employee

‎01-31-2016 03:23 PM

Hi Carlos,

Can you share the accesslogs for that traffic, to see the action tag from the logs.

Also suspect, in the HTTPS page (Security Services -> HTTPS proxy) you have decryption options enabled such as decrypt for application detection, etc that will decrypt the traffic first before decryption policy applied.

Regards,

Handy

0 Helpful

Go to solution
san.carlos
Level 1
Level 1
In response to Handy Putra

‎02-01-2016 06:36 AM

Thanks for the response. With some help from technical support, I learned that for decryption policies, the filter will apply the URL filtering, Application decryption policies before the Default action, so I configured the URL filtering to pass-through the desired URL categories.

0 Helpful

Go to solution
Tao Yang
Cisco Employee
Cisco Employee

‎01-31-2016 08:54 PM

Hello Carlos,

As default action will only be applied if WSA could not match any in your URL filtering and Web Reputation.  In your current settings, you only need to create a custom category and then add it into your decryption policy and then set it as "Pass Through".

Hope it helps. 

0 Helpful
Customers Also Viewed These Support Documents