01-28-2016 08:51 AM
WSA S380 v9.0.1-135
I have an identity profile for guest users, "Guest", and it is exempt from authentication. Membership is defined by subnets. This works as design and just fine.
I want to exempt the traffic matching this identity profile from decryption, basically allowing to pass through, but so far I have not been able to get it to work. I may be missing something. Here is what I have done so far.
1. HTTPS Proxy is enabled
2. Created a decryption policy and set the policy membership based on the "Guest" identity profile.
3. URL filtering is set to match the "Global Policy", which in the global policy all categories are set to "Monitor"
4. Web Reputation is "Disabled"
5. Default Action is set to "Pass Through"
Based on #5 above, I expect the traffic to be allowed to pass through. That is not the case though. A test using this configuration shows that the correct identity profile is applied and the correct decryption policy is applied as well, but decryption still occurs. Furthermore, test and policy traces show the access policy applied is the decryption policy applied, which I think is strange. Why would a decryption policy be applied as an access policy.
TIA for any guidance.
-Carlos
Solved! Go to Solution.
01-31-2016 08:54 PM
Hello Carlos,
As default action will only be applied if WSA could not match any in your URL filtering and Web Reputation. In your current settings, you only need to create a custom category and then add it into your decryption policy and then set it as "Pass Through".
Hope it helps.
01-31-2016 03:23 PM
Hi Carlos,
Can you share the accesslogs for that traffic, to see the action tag from the logs.
Also suspect, in the HTTPS page (Security Services -> HTTPS proxy) you have decryption options enabled such as decrypt for application detection, etc that will decrypt the traffic first before decryption policy applied.
Regards,
Handy
02-01-2016 06:36 AM
Thanks for the response. With some help from technical support, I learned that for decryption policies, the filter will apply the URL filtering, Application decryption policies before the Default action, so I configured the URL filtering to pass-through the desired URL categories.
01-31-2016 08:54 PM
Hello Carlos,
As default action will only be applied if WSA could not match any in your URL filtering and Web Reputation. In your current settings, you only need to create a custom category and then add it into your decryption policy and then set it as "Pass Through".
Hope it helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide