Best practice for SSL exceptions


(Lior) #1

Hello everyone,
Any suggestions for best practice of SSL bypass?

Adding a custom category and then adding many entries to it, creates a mess which is hard to follow and document… any ideas for how to best manage this in a way to be organized? is it not possible to create a super-category and add different categories to that?

The idea here is to be able to create a bypass for url/domain/ip and add a note to its date/usecase/etc…


(Scott Bullock) #2

Hi Lidor,
Here’s a few suggestions.

  • where an App needs bypass (eg Box, Facebook) use the Cloud App in the
    bypass policy
  • if using a custom cat use the description filed Int the custom category
    to track the entry (date, CR #, description)


(Lior) #3

Thx Skottie
Unfortunately, cant take any of these suggestions in this use-case…

So you suggest listing all comments under the custom category description? how would the comment refer to the specific entry? would it need to be listed as well in the comments?

Is it not possible to create a super-category and add different categories to that?


There are 78 predefined categories - could you not broadly exclude ones like finance, travel, vehicles, dining, etc.?

(Lior) #5

…not sure I understand this suggestion. :confused:

Can anyone suggest how this is implemented on your end or on your deployments? should be a trivial question with a trivial answer… :smiley:

(Nick Morgan) #6

You are correct to say it is not possible to create your own URL Super Category, only categories can be created to fit into existing Super categories.

Personally I think the cleanest approach is to applying custom SSL bypasses is to have a single (or a handful if you want some separation) user defined category which contain required URLs, domains and IPs.

For each line item, add the same content into the description and provide your explanation and perhaps a timestamp so you can track why and when a bypass is added.

Certainly I would avoid adding individual URL/domains into the SSL inspection policy page since that will definitely get messy and you cannot add any description there. Better to select categories (and apps if you need to) when bypassing.


(Mike) #7

Are there any functionality differences between performing the exceptions in these two locations? (Custom Category vs. SSL inspection policy page)

(Nick Morgan) #8

no there will not be any functional difference @MikeC