Views:

Secure Socket Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols widely adopted and deployed in network communication today. The traffic over SSL/TLS is encrypted and signed to ensure security, hence HTTPS. Because encrypted HTTPS connections can carry the same risks as unencrypted HTTP connections, Cloud Edge scans all traffic for potential risks and threats.

Cloud Edge can enable or disable HTTPS inspections and exclude specific URL categories from inspection. After the traffic is identified, Cloud Edge determines the appropriate actions for traffic based on specified policy settings. To scan HTTPS traffic, Cloud Edge identifies the SSL connection at the first packet of the SSL handshake, acquires the client IP address information from the session, if available, and then gets the server host name from the handshake record. Traffic will not be decrypted if this information matches any allowed URL categories, websites, or IP addresses in the Cloud Edge exception list.

Note:

HTTPS inspection is performed only on IPv4 traffic. IPv6 traffic is not decrypted and scanned. Cloud Edge passes IPv6 HTTPS traffic through the gateway to endpoints without scanning.

HTTPS traffic on port 443 and 8443 is checked against URL filtering and Web Reputation Services (WRS). If a match is triggered the following happens:

  • If the HTTPS traffic is set to be decrypted, then a notification is sent.

  • Otherwise, no notification is sent.

Traffic will be decrypted if the following is true:

  • HTTPS scanning is enabled.
  • The traffic is not in the HTTPS scan exception list.

Information about HTTPS Inspection is shown in corresponding logs and reports.

Note:
  • If you deploy the Cloud Edge gateway with hardware switch chipset in Bridge Mode, only the High Security intranet security setting supports HTTPS decryption for intranet traffic.

  • With the Balanced and High Speed intranet security settings, intranet HTTPS traffic is not decrypted.

  • All three intranet security settings support HTTPS decryption on the external network.