Configuring HTTPS Profiles

Purpose: Configure HTTPS profiles to identify IPv4 HTTPS traffic and exclude specific URL categories from IPv4 HTTPS inspection.

Location: Policies > SECURITY PROFILES > Security Profiles > HTTPS

  1. Optionally enable the security profile.
  2. Enter up to five custom HTTPS ports as a comma-delimited list.

    The default ports are 443 and 8443. HTTPS traffic with a destination port from this list is decrypted and scanned.

    Important: If you enable secure email (SMTPS, POP3S, and IMAPS) in the email security profile, you cannot enter the ports used for the enabled secure email protocols in the HTTPS ports list as this can cause issues for HTTPS inspection. For example, if you enable SMTPS in the email security profile and use the default SMTPS port (465), you must not enter port 465 in the HTTPS port list.
  3. Enable or disable Smart Bypass by turning Enable Smart Bypass to On or Off.

    • When enabled, if Cloud Edge cannot decrypt website traffic on the first visit, the website is put into an approved list and subsequent traffic in not decrypted and scanned. The web page including pictures and CSS are shown. There is a risk that this might bypass scanning of malicious websites.

    • When disabled (the default), the user can continue to the website by selecting within the browser to trust the Cloud Edge certificate, and then Cloud Edge will display the web page. Pictures and CSS files are not shown.

    • Supported on Cloud Edge 6.0 SP1 and later gateways.

    Note:

    URL Category Exceptions and Source Address Exceptions have higher priority than Auto Smart Bypass.

  4. Configure trust certificate behavior by turning Enable Trust Certificate to On or Off.

    • When disabled (the default), Cloud Edge generates a warning if the secured web site’s server certificate is invalid. A user must select within the browser warning whether to proceed to the website.

    • When enabled, Cloud Edge automatically trusts a certificate even if it is not valid. User will not see the browser warning for invalid certificate and cannot see certificate detail. The user does not have a chance to decide whether to visit the secured website, but always goes to the site without any prompt. It is possible that a user could visit a malicious website and might be infected without notice if Cloud Edge scanning does not find the attack.

  5. Configure URL category exceptions.

    See URL Category Groups.

  6. Click Modify Global Approved List to configure the Approved List.

    See Approved and Blocked Lists.

  7. Configure source address exceptions by adding IPv4 address objects.

    Source address exceptions bypass HTTPS traffic inspection and allow endpoints access to all HTTPS traffic from those addresses.

    Note:

    HTTPS inspection is performed only on IPv4 traffic. IPv6 traffic is not decrypted and scanned. IPv6 HTTPS traffic passes through to the end points without scanning.

  8. Configure device category exceptions.
  9. Click Save.
Parent topic: HTTPS Profiles