WSA decryption policy issue

liban.houssein · ‎06-25-2020

Hi,

I created an Identity policy for my wired and wireless vlan HQ_Networks. I have an access policy for my company HQ_Access_Policy and a decryption policy HQ_Decryption_Policy.

For test: I blocked travel URL like "airbnb".

When I check with trace with the http request http://www.airbnb.com with an IP add in the wired or wireless vlan, it is all ok.

But when I check with trace with https request https://www.airbnb.com everything is ok until it get to the access policy. It is using an access policy HQ_Decryption_Policy instead of the HQ_Access_Policy.

And it is decrypting instead of blocking, because it is not using the right policy HQ_Access_Policy that is supposed to block the traffic after my HQ_Decryption_Policy decrypted it.

Please check attached print screen.

opryluts · ‎06-26-2020

Hi Liban,

That's how HTTPS inspection works. Basically, for the HTTPS traffic when the destination is supposed to be decrypted we have at least 2 transactions for the request:

1. HTTP CONNECT

2. HTTP GET (or other application-layer request)

So for the first one, you'll see the decryption policy instead of access policy since WSA decided to decrypt the traffic (that's the actual action applied for the transaction)

For the second transaction after decryption, you'll see the actual access policy applied by WSA.

So for decrypted traffic, we have 2 stages - decryption and access policy. If you check access logs for the airbnb traffic you'll see that.

Please vote for the comment if you find it helpful.