Secure
Socket Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols
widely
adopted and deployed in network communication today. The traffic over SSL/TLS is
encrypted and signed to ensure security, hence HTTPS. Because encrypted HTTPS
connections can carry the same risks as unencrypted HTTP connections, Cloud Edge scans all traffic for potential risks and
threats.
Cloud Edge can enable or disable HTTPS
inspections and exclude specific URL categories from inspection. After the traffic
is
identified, Cloud Edge determines the appropriate
actions for traffic based on specified policy settings. To scan HTTPS traffic, Cloud Edge identifies the SSL connection at the first
packet of the SSL handshake, acquires the client IP address information from the
session, if available, and then gets the server host name from the handshake record.
Traffic will not be decrypted if this information matches any allowed URL categories,
websites, or IP addresses in the Cloud Edge exception
list.
 |
NoteHTTPS inspection is performed only on IPv4 traffic. IPv6 traffic is not decrypted
and scanned. Cloud Edge passes IPv6 HTTPS traffic through the
gateway to endpoints without scanning.
|
HTTPS traffic on port 443 and 8443 is checked against URL filtering and Web
Reputation Services (WRS). If a match is triggered the following happens:
-
If the HTTPS traffic is set to be decrypted, then a notification is sent.
-
Otherwise, no notification is sent.
Traffic will be decrypted if the following is true:
- HTTPS scanning is enabled.
- The traffic is not in the HTTPS scan exception list.
Information about HTTPS Inspection is shown in corresponding logs and
reports.
|
Note
|