No announcement yet.

SSL Inspector IGNORED sessions

This topic is closed.
  • Filter
  • Time
  • Show
Clear All
new posts

  • SSL Inspector IGNORED sessions

    My understanding is that IGNORED sessions in SSL Inspector are essentially allowed through unchanged as if the SSL Inspector were turned off - Is this accurate?

    If so, any ideas why sites like HBO, NetFlix, etc. will work with SSL Inspector turned off but then fail with SSL Inspector turned on but those same sites set to IGNORE?

  • #2
    Some sites which require TLS 1.3 can't have their traffic inspected at all and you may need to create 'ignore' rules for those sites. Before doing that, be sure that the device you're testing from has had the NGFW's root certificate authority installed and that there's nothing missing from the certificate itself.

    To install the root CA, download it from Config > Administration > Certificates or point the device's browser to https://internal_interface_IP/cert

    To verify that the certificate is correct (and fix it if it isn't), refer to this article: Regenerating the SSL Server Certificate on NGFW
    Græme Ravenscroft • Technical Marketing Engineer
    ('gram', like the unit of measurement)
    How can we make Arista ETM products better?


    • #3
      Thanks @gravenscroft - server cert regen did the trick. Really appreciate the help and so far, Untangle seems to be a pretty amazing piece of software...Thanks again...


      • #4
        Beware though... TLS 1.3 was at 33% adoption last year, I have no illusion that's slowed down. So every day that goes by... there's one more site that can't be inspected.
        Rob Sandling, BS:SWE, MCP, Microsoft Certified: Azure Administrator Associate
        Phone: 866-794-8879 x201
        Email: [email protected]


        • #5
          Thanks @sky-knight - and actually, I spoke too soon. While a couple of the sites did end up working, several others such Amazon Prime, Hulu, etc., still fail despite having IGNORE rules for them. But, as soon as I turn off SSL Inspector, the issue goes away.

          I read that several folks who have encountered this same issue opted to have their streaming device skip SSL Inspector altogether but my issue is via web-browser and as such, there is a lot of non-streaming related traffic that we would like to inspect.

          So I'm wondering if there some issues with IGNORE sessions...