SSL Inspection Policy and URL Filtering

SSL inspection policy scan traffic based on the source and destination. By default, SSL Inspection Rule blocks Untrusted Server Certificates

With URL Filtering policy in place (or URL Categories in SSL Inspection Rule Criteria used), if you hit a website with an untrusted SSL cert (revoked, expired etc), Zscaler Untrusted Certificate Check kicks in prior to URL Filtering Policy. Browsing sites that fall under block URL Category with trusted certs will trigger URL Filtering block (Log: not allowed to browse this category).

In the following example, User A access gambling site with Gambling category blocked by URL Filtering policy.

For HTTP traffic, SSL Inspection policy not applied, we go straight to URL Filtering policy (Blocked Policy Type: URL Filtering) and the configured Web Traffic action, Caution, is applied (Policy Action: Request method cautioned).

For HTTPS traffic, SSL Inspection policy comes into play before URL Filtering Policy. As User A accessed 777.com, the Server Certificate from 198.251.90.72 is untrusted and blocked by SSL Policy (Blocked Policy Type: SSL Policy filter). Also notice Certificate Chain Validity failed.

User B with similar SSL and URL Filtering policies access gambling site (HTTPS). SSL Inspection policy applied first and passed (server certificate looks trusted). We moved on to URL Filtering Policy (Blocked Policy Type: URL Filtering) and the configured Web Traffic action, Caution, is applied (Policy Action: Request method cautioned). Note for User B, the Server IP (64.8.243.62) which fed the trusted server certificate.

To confirm 198.251.90.72 feds untrusted server cert, browse using IP shows the server certificate from blocked.netalerts.io blocked by SSL Policy

To conclude, SSL Inspection Policy provides the first line of defense against untrusted server certs. URL Filtering Policy provides additional granular control based on URL Categories.

3 Likes