SSL Inspector

From UntangleWiki
(Redirected from HTTPS Inspector)
Jump to: navigation, search

SSLInspector 128x128.png     SSL Inspector
Other Links:
SSL Inspector Description Page
SSL Inspector Screenshots
SSL Inspector
SSL Inspector Reports
SSL Inspector FAQs

Contents

About SSL Inspector

The SSL Inspector is a special application that allows other Untangle applications that process HTTP traffic to also process encrypted HTTPS traffic and applications that process SMTP to also process SMTP over SSL. It does this by performing man-in-the-middle decryption and encryption of SSL traffic, passing the unencrypted traffic through the Untangle server for inspection by other applications and services.

When a client makes an HTTPS request, the Inspector first initiates a secure SSL connection with the external server on behalf of the client. While this session is being established, the inspector captures information about the server SSL certificate. Once the server session is active, the Inspector uses the details from the server certificate to create a new certificate that will be used to encrypt the session between the inspector and the client. This certificate is generated or loaded on the fly, and is created using the same subject details contained in the actual server certificate. The certificate is then signed by the internal CA on the Untangle server, and is used to establish a secure connection between the inspector and the client. Creating the certificate this way is necessary to eliminate security warnings on the client, but it does require a few extra steps to properly configure the client computers and devices on your network. See the SSL Certificates section below for details.

SSL Certificates

SSL Certificates serve two primary purposes. They allow traffic between the client and server to be encrypted, and they allow the client to validate the authenticity of the server. There are two main ways the client checks the authenticity of the server certificate. The first is by validating the server certificate to ensure it has been issued or signed by a known and trusted third party certificate authority. Once that trust has been established, the client checks the server name portion of the target URL to ensure it matches the server name registered in the certificate presented by the server. If either of these checks fail, the client will typically display a warning, indicating that the security of the connection may be compromised.

When the Untangle server is initially installed, a default Certificate Authority is created automatically and used to sign the man-in-the-middle certificates created by the SSL Inspector. To view or make changes to the internal Certificate Authority, check out Certificates tab of the Config/Administration page.

Config > Administration > Certificates

Client Configuration

For the client authenticity checks to be successful, the client must be configured to trust the root certificate used by the Untangle server to sign the man-in-the-middle certificates described above. To configure clients, you must first use the Download Root Certificate button located on the Configuration tab of SSL Inspector Settings page to download the root certificate. You must then install this certificate in correct the location on the client.

Another way to download the root certificate is to simply access a special URL using the IP address of the Untangle server:

http://0.0.0.0/cert

Simply replace 0.0.0.0 with the IP address of your Untangle server. This method is especially useful when using mobile devices. For example, accessing this URL on an iPad or iPhone will download and display the certificate, and provide an option to install and trust the certificate directly on the device.

Below are basic instructions for installing the root certificate on some common client platforms. If yours is not listed, or you have any difficulty, consult the reference material for the target platform for further information.

Internet Explorer or Google Chrome on Microsoft Windows

  1. Log into the Untangle server running SSL Inspector.
  2. Go to Settings/Configuration and download the certificate using the "Download Root Certificate" button.
  3. Copy the root_authority.crt you just downloaded to the Windows client computer.
  4. From a command prompt, or from Start/Run, run the command "certmgr.msc".
  5. Open the "Trusted Root Certification Authorities" tree in the panel on the left.
  6. Right click on "Certificates" and select All Tasks --> Import.
  7. Proceed with the Certificate Import Wizard, selecting the the root_authority.crt file.

Firefox on Microsoft Windows

  1. Log into the Untangle server running SSL Inspector.
  2. Go to Settings/Configuration and download the certificate using the "Download Root Certificate" button.
  3. Copy the root_authority.crt you just downloaded to the Windows client computer.
  4. Launch Firefox
  5. From the Tools menu, go to Options -> Advanced -> Encryption -> View Certificates -> Authorities (**On version 41+ of Firefox ** From the Tools menu, go to Options -> Advanced -> View Certificates)
  6. Click the Import button and select the root_authority.crt file.
  7. Enable the "Trust this CA to identify websites" checkbox and click the OK button.

Opera on Microsoft Windows

  1. Log into the Untangle server running SSL Inspector.
  2. Go to Settings/Configuration and download the certificate using the "Download Root Certificate" button.
  3. Copy the root_authority.crt you just downloaded to the Windows client computer.
  4. Launch Opera
  5. From the Tools menu, go to Preferences -> Advanced -> Security and click Manage Certificates
  6. Select the Authorities tab, click Import, and select the root_authority.crt file.
  7. Click Install and click OK when asked if you are sure you want to trust the certificate.

Group Policy Distribution

If you have a fully deployed and implemented Active Directory infrastructure, you can leverage the Group Policy model to distribute the Untangle root certificate to all of your client computers. This is way outside our own area of expertise, so we can't provide much help or assistance, but we have compiled links to some TechNet articles with instructions for several common versions of Windows Server.

Windows Server 2003

Windows Server 2008

Windows Server 2012

Settings

This section describes the different settings and configuration options available for SSL Inspector.

Configuration

Download Root Certificate

As described above, client computers and devices on your network need to be configured to trust the root certificate of the Untangle server. Clicking this button will allow you to download the root certificate. Once downloaded, you need to install it in the Trusted Authorities certificate store on your client computers and devices. Note that this is the same root certificate that can be downloaded from the Config > Administration > Certificates page. The download link is included on the SSL Inspector Configuration page for convenience.

Download Root Certificate Installer

Click this button to download a Windows installer that will automatically and properly install the root certificate for most popular web browsers that are installed and detected on the computer.

Enable SMTPS Traffic Processing

This option is enabled by default, and allows the SSL Inspector to work cooperatively with the other applications that act on SMTP mail traffic. When enabled, port 25 mail sessions that use STARTTLS will be decrypted inbound, allowing the clear traffic to pass through all other applications, and the re-encrypted again before passing outbound.

Enable HTTPS Traffic Processing

This option is enabled by default, and allows the SSL Inspector to work cooperatively with the other applications that act on HTTP web traffic. When enabled, port 443 web sessions that use SSL/TLS will be decrypted inbound, allowing the clear traffic to pass through all other applications, and then re-encrypted again before passing outbound.

Block Invalid HTTPS Traffic

When processing a new HTTPS session, the first thing the inspector does is analyze the initial client request to see if it contains a valid SSL negotiation message. If not, by default the session will be ignored and the traffic will flow directly between the client and server with no inspection performed. By enabling this checkbox, you can change the default behavior and effectively block any port 443 traffic that does not contain a valid HTTPS signature.

Client/Server Connection Protocols

This section includes checkboxes for turning on and off the SSL and TLS protocols that will be used when negotiating secure HTTPS and SMTPS inbound and outbound connections. The client protocols are used when the server is communicating with a client. The server protocols are used when the server is communicating with a server.

  • SSLv2Hello - This is really a legacy handshake protocol that is used between a client and server when deciding which encryption protocol to use. This means it's possible to enable SSLv2Hello and still have a TLSv1.x connection negotiated. While there are no known security issues, we still recommend leaving this disabled unless you specifically need this legacy support.
  • SSLv3 - This is an older protocol that is now deprecated since the discovery of the POODLE vulnerability. For that reason, we recommend this be disabled for maximum security.
  • TLSv1 - This is an older protocol that has some known weaknesses. These can be mitigated if the other side of the connection forces certain secure ciphers to be used. However, since this can't be guaranteed, best practice is to disable this protocol unless it is required to support connections with legacy clients or servers.
  • TLSv1.1 - This is a more modern protocol that is generally regarded as secure.
  • TLSv1.2 - This is the most recent version of the TLS protocol.

Trust All Server Certificates

Normally, when establishing an SSL connection with an external web server, the inspector will authenticate the server certificate against a standard list of trusted certificate authorities. If this trust cannot be established, the inspector will end the session. By enabling this checkbox, you can force the inspector to blindly trust all external server certificates.

Please note that we DO NOT recommend running with this option enabled, as it exposes all HTTPS traffic to significant security risks.

The standard list of trusted certificates used by Untangle is generated from the standard ca-certificates package. It includes, among others, certificate authorities used by Mozilla's browsers. Please note that Untangle can neither confirm nor deny whether the certificate authorities whose certificates are included in this list have in any way been audited for trustworthiness or RFC 3647 compliance. Full responsibility to assess them belongs to the local system administrator.

Upload Trusted Certificate

The inspector emulates a web browser when it makes outbound connections to external web servers. Just like a web browser, it must verify the authenticity of the server certificate before it will trust the connection and allow traffic to flow freely. As mentioned above, the inspector uses a standard list of known certificate authorities to validate server certificates. However, it's also possible you have servers in your network that use certificates that can't be authenticated this way. Perhaps you have your own certificate authority, or use self-signed certificates. Whatever the reason, you can use this section of the configuration page to upload additional certificates that you want the inspector to trust.

Rules

The Rules tab allows you to specify explicit rules to Inspect or Ignore HTTPS traffic that crosses the Untangle. By default, many common HTTPS sites (google, youtube, yahoo, etc) are inspected, but not all HTTPS. This provides a safe default which provides HTTPS inspection on those sites without interfering with other HTTPS communications. It can easily be configured to inspect all HTTPS by enabling the "Inspect All Traffic" rule.

The Rules documentation describes how rules work and how they are configured. SSL Inspector uses rules to determine if it should inspect or ignore traffic for the specific session.

In addition to all the common rule types, there are three that are unique to the SSL Inspector, and these can be very useful for ignoring traffic that you don't want to inspect, or that isn't compatible with the SSL Inspector.

HTTPS: SNI Hostname

Most web browsers and many client applications include the destination hostname in the initial packet of an HTTPS session. The mechanism used is called the Server Name Indication, or the SNI extension to the TLS protocol. The main purpose is to allow a single web server to host multiple secure web sites. By analyzing the SNI hostname in the client request, the server can decide which SSL certificate to use for encrypting the session. This extension is necessary because the encryption must be established long before the server ever sees the HTTP request, and by then it would be too late to use a different certificate.

Creating ignore rules based on the SNI hostname is an effective way to have the SSL Inspector ignore incompatible traffic. A prime example is the default rule for Microsoft Update. The Microsoft Update client checks the server certificate to ensure it was signed by a specific authority. Since it doesn't trust the Root Aurthority the SSL Inspector uses to generate certificates on-the-fly, Microsoft Update will fail with an error. The default rule allows this traffic to be detected and ignored, allowing Microsoft Update to work properly.

HTTPS: Certificate Subject and HTTPS: Certificate Issuer

These two rule conditions are useful when dealing with client applications that don't use SNI, and aren't compatible with SSL Inspectory. An excellent example is the Dropbox client utility for which there is also a default rule. Like Microsoft Update, the Dropbox client will reject SSL certificates that it doesn't explicitly trust.

Using either of these rule conditions, you can match traffic on any portion of the Subject or Issuer Distinguished Name (DN) included in the server certificate. In both cases, the information in the match string includes the standard information fields commonly stored within the SSL certificates, such as CN (common name), C (country), ST (state), L (locality), O (organization), and OU (organizational unit). Each of these are appended to the match string and separated by commas. Note that not all fields are required in all certificates, and some certificates may have others not listed. The order they occur in the match string is also not guaranteed.

The Subject DN generally includes information about the company to which the certificate was issued. Here is an example Certificate Subject:

CN=*.dropbox.com, O="Dropbox, Inc.", L=San Francisco, ST=California, C=US

The Issuer DN generally includes information about the company that issued and authenticated the certificate. Here is an example Certificate Issuer:

CN=Thawte SSL CA, O="Thawte, Inc.", C=US

Rule Actions

  • Inspect: Causes the traffic which matched the rule to be decrypted and passed along to other applications and service for further inspection, classification, and possible action.
  • Ignore: Causes the traffic which matched the rule to be ignored the SSL Inspector.

Reports

The Reports tab provides a view of all reports and events for all traffic handled by HTTPS Inspector.

Reports

All SSL Inspector reports can be accessed using the Select Reports window. All pre-defined reports will be listed along with any custom reports that have been created.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.


Pre-defined report queries:

Report Entry Description
HTTPS Inspector Summary A summary of HTTPS Inspector actions.
Scanned Sessions The amount of SSL sessions over time.
Inspected Sessions The amount of inspected SSL sessions over time.
Top Inspected Sites The number of inspected sessions grouped by site.
Top Ignored Sites The number of ignored sessions grouped by site.


Configuration Backup Reports

Report Entry Description
Configuration Backup Summary A summary of configuration backup actions.
Backup Usage (all) The amount of successes, and failures of configuration backup over time.
Backup Usage (success) The amount of successful configuration backups over time.
Backup Usage (failed) The amount of failed configuration backups over time.


Network Reports

Report Entry Description
Sessions The amount of total, scanned, and bypassed sessions over time.
Sessions Per Minute The amount of total, scanned, and bypassed sessions created per minute.
Sessions Per Hour The amount of total, scanned, and bypassed sessions created per hour.
Bandwidth Usage The approximate averaged data transfer rate (total, sent, received) over time grouped by session creation time.
Top Client Addresses The number of sessions grouped by client (source) address.
Top Server Ports The number of sessions grouped by server (destination) port.
Top IP Protocols The number of sessions grouped by IP protocol number.


Administration Reports

Report Entry Description
Admin Logins The number of total, successful, and failed admin logins over time.
Settings Changes The number of settings changes over time.


System Reports

Report Entry Description
CPU Load The CPU load over time.
Disk Usage The disk utilization over time.
Memory Usage The amount of free memory over time.
Swap Usage The swap utilization over time.


Application Control Lite Reports

Report Entry Description
Application Control Lite Summary A summary of Application Control Lite actions.
Detection Statistics The number of logged and blocked sessions over time.
Top Blocked Protocols The top blocked sessions by protocol.
Top Logged Protocols The top logged sessions by protocol.
Top Blocked Hosts The top blocked sessions by host.
Top Logged Hosts The top logged sessions by host.
Top Blocked Users The top blocked sessions by user.
Top Logged Users The top logged sessions by user.


Spam Blocker Lite Reports

Report Entry Description
Spam Blocker Lite Summary A summary of spam blocking actions for email activity.
Email Usage (all) The amount of scanned, clean, and spam email over time.
Email Usage (scanned) The amount of scanned email over time.
Email Usage (clean) The amount of clean email over time.
Email Usage (spam) The amount of spam email over time.
Spam Ratio The ratio of spam (true) to ham (false)
Top Spam Recipients The number of email addresses with spam.
Top Spam Sender Addresses The number of IP addresses sending spam.


Phish Blocker Reports

Report Entry Description
Phish Blocker Summary A summary of phish blocking actions for email activity.
Email Usage (all) The amount of scanned, clean, and phish email over time.
Email Usage (scanned) The amount of scanned email over time.
Email Usage (clean) The amount of clean email over time.
Email Usage (phish) The amount of phish email over time.
Phish Ratio The ratio of phish (true) to ham (false)
Top Phish Recipients The number of email addresses with phish.
Top Phish Sender Addresses The number of IP addresses sending phish.


Policy Manager Reports

Report Entry Description
Policy Manager Summary A summary of Policy Manager actions.
Sessions By Policy The number of sessions for each policy.
Traffic By Policy The amount of traffic for each policy.


Ad Blocker Reports

Report Entry Description
Ad Blocker Summary A summary of ad blocker actions.
Ads Blocked The amount of detected and blocked ads over time.
Top Blocked Ad Sites The number of blocked ads grouped by website.


WAN Balancer Reports

Report Entry Description
WAN Balancer Summary A summary of WAN Balancer actions.
Sessions By Interface The number of sessions destined to each interface.
Bytes By Interface The number of bytes destined to each interface.


Spam Blocker Reports

Report Entry Description
Spam Blocker Summary A summary of spam blocking actions for email activity.
Email Usage (all) The amount of scanned, clean, and spam email over time.
Email Usage (scanned) The amount of scanned email over time.
Email Usage (clean) The amount of clean email over time.
Email Usage (spam) The amount of spam email over time.
Spam Ratio The ratio of spam (true) to ham (false)
Top Spam Recipients The number of email addresses with spam.
Top Spam Sender Addresses The number of IP addresses sending spam.


Application Control Reports

Report Entry Description
Application Control Summary A summary of Application Control actions.
Scanned Sessions (all) The amount of scanned, flagged, and blocked sessions over time.
Scanned Sessions (flagged) The amount of flagged, and blocked sessions over time.
Scanned Sessions (blocked) The amount of flagged, and blocked sessions over time.
Top Applications (by sessions) The number of sessions grouped by application.
Top Applications (by size) The number of bytes grouped by application.
Top Flagged Applications The number of flagged sessions grouped by application.
Top Blocked Applications The number of blocked sessions grouped by application.
Top Flagged Hostnames The number of flagged sessions grouped by hostname.
Top Blocked Hostnames The number of blocked sessions grouped by hostname.
Top Flagged Clients The number of flagged sessions grouped by client.
Top Blocked Clients The number of blocked sessions grouped by client.
Top Flagged Usernames The number of flagged sessions grouped by username.
Top Blocked Usernames The number of blocked sessions grouped by username.


Web Cache Reports

Report Entry Description
Web Cache Summary A summary of Web Cache actions.
Cache Hit/Miss Statistics The number of cache hits, misses, and sessions bypassed over time.
Cache Size Statistics The amount of cached and uncached web data over time.


IPsec VPN Reports

Report Entry Description
IPsec VPN Summary A summary of IPsec VPN actions.
Hourly Tunnel Traffic The amount of IPsec tunnel traffic over time.
Top Tunnel Traffic The amount of traffic for each IPsec tunnel.
Top Active Users The top IPsec VPN users by number of sessions.
Top Download Users The top IPsec users grouped by amount of data downloaded.
Top Upload Users The top IPsec users grouped by amount of data uploaded.
Top Protocols The top IPsec VPN connections by protocol.


Intrusion Prevention Reports

Report Entry Description
Intrusion Prevention Summary A summary of intrusion detection and prevention actions.
Intrusion Detection (all) The amount of detected and blocked intrusions over time.
Intrusion Detection (logged) The amount of detected pintrusions over time.
Intrusion Detection (blocked) The amount of blocked intrusions over time.
Top Rules (logged) The number of intrusions detected grouped by rule.
Top Rules (blocked) The number of intrusions blocked by rule.
Top Classtypes (logged) The number of intrusions detected grouped by classtype.
Top Classtypes (blocked) The number of intrusions blocked by classtype.
Top Categories (logged) The number of intrusions detected grouped by category.
Top Categories (blocked) The number of intrusions blocked by category.
Top Source IP Addresses (logged) The number of intrusions detected grouped by source IP address.
Top Source IP Addresses (blocked) The number of intrusions blocked by source IP address.
Top Source Ports (logged) The number of intrusions detected grouped by source port.
Top Source Port (blocked) The number of intrusions blocked by source port.
Top Destination IP Addresses (logged) The number of intrusions detected grouped by destination IP address.
Top Destination IP Addresses (blocked) The number of intrusions blocked by destination IP address.
Top Destination Ports (logged) The number of intrusions detected grouped by destination port.
Top Destination Port (blocked) The number of intrusions blocked by destination port.
Top Protocols (logged) The number of intrusions detected grouped by protocol.
Top Protocols (blocked) The number of intrusions blocked by protocol.


Reports Reports

Report Entry Description
Alerts Alerts over time.
Top Alerts The top alerts.


Host Viewer Reports

Report Entry Description
Host Table Size The amount of hosts add and removed from the host table over time.
Host Table Additions The amount of hosts add and removed from the host table over time.
Host Table Updates The number of updates to the host table over time.


Bandwidth Control Reports

Report Entry Description
Bandwidth Control Summary A summary of Bandwidth Control actions.
Bandwidth Usage The approximate averaged data transfer rate (total, sent, received) over time grouped by session creation time.
Top Hostnames (by total bytes) The sum of the data transferred grouped by hostname.
Top Hostnames (by received bytes) The sum of the received data grouped by hostname.
Top Hostnames (by sent bytes) The sum of the sent data grouped by hostname.
Top Clients (by total bytes) The sum of the data transferred grouped by client address.
Top Clients (by received bytes) The sum of the data received grouped by client address.
Top Clients (by sent bytes) The sum of the data sent grouped by client address.
Top Usernames (by total bytes) The sum of the data transferred grouped by username.
Top Usernames (by received bytes) The sum of the data transferred grouped by username.
Top Usernames (by sent bytes) The sum of the data transferred grouped by username.
Top Ports (by total bytes) The sum of the data transferred grouped by server port.
Top Ports (by sent bytes) The sum of the data received grouped by server port.
Top Ports (by sent bytes) The sum of the data sent grouped by server port.
Top Application (by total bytes) The sum of the data transferred grouped by Application Control application.
Top Application (by received bytes) The sum of the data sent grouped by Application Control application.
Top Application (by sent bytes) The sum of the data sent grouped by Application Control application.
Top Priorities (by total bytes) The sum of the data transferred grouped by priority.
Bypassed (by total bytes) The sum of the data transferred grouped by bypassed.


Directory Connector Reports

Report Entry Description
Directory Connector Summary A summary of Directory Connector actions.
User Notification API Events The amount of login, update and logout user notification API events over time.


Web Filter Reports

Report Entry Description
Web Filter Summary A summary of web filter actions.
Web Usage (all) The amount of total, flagged, and blocked web requests over time.
Web Usage (scanned) The amount of total, flagged, and blocked web requests over time.
Web Usage (flagged) The amount of flagged, and blocked web requests over time.
Web Usage (blocked) The amount of flagged, and blocked web requests over time.
Top Categories (by request) The number of web requests grouped by category.
Top Categories (by size) The sum of the size of requested web content grouped by category.
Top Flagged Categories The number of flagged web requests grouped by category.
Top Blocked Categories The number of blocked web requests grouped by category.
Top Sites (by request) The number of web requests grouped by website.
Top Sites (by size) The sum of the size of requested web content grouped by website.
Top Flagged Sites The number of flagged web requests grouped by website.
Top Blocked Sites The number of blocked web requests grouped by website.
Top Domains (by request) The number of web requests grouped by domain.
Top Domains (by size) The sum of the size of requested web content grouped by domain.
Top Flagged Domains The number of flagged web requests grouped by domain.
Top Blocked Domains The number of blocked web requests grouped by domain.
Top Hostnames (by requests) The number of web requests grouped by hostname.
Top Hostnames (by size) The sum of the size of requested web content grouped by hostname.
Top Flagged Hostnames The number of flagged web request grouped by hostname.
Top Blocked Hostnames The number of blocked web request grouped by hostname.
Top Clients (by requests) The number of web requests grouped by client.
Top Clients (by size) The sum of the size of requested web content grouped by client.
Top Flagged Clients The number of flagged web request grouped by client.
Top Blocked Clients The number of blocked web request grouped by client.
Top Usernames (by requests) The number of web requests grouped by username.
Top Usernames (by size) The sum of the size of requested web content grouped by username.
Top Flagged Usernames The number of flagged web request grouped by username.
Top Blocked Usernames The number of blocked web request grouped by username.


Virus Blocker Reports

Report Entry Description
Virus Blocker FTP Summary A summary of virus blocking actions for FTP activity.
Virus Blocker Email Summary A summary of virus blocking actions for Email activity.
Virus Blocker Web Summary A summary of virus blocking actions for web activity.
Web Usage (all) The amount of scanned and blocked web requests over time.
Web Usage (scanned) The amount of scanned web requests over time.
Web Usage (blocked) The amount of blocked web requests over time.
Web Top Blocked Viruses The number of blocked viruses by web activity.
Web Top Blocked Clients The number of clients with blocked viruses by web activity.
Web Top Blocked Sites The number of clients with blocked viruses by web activity.
FTP Usage (all) The amount of scanned and blocked FTP requests over time.
FTP Usage (scanned) The amount of scanned FTP requests over time.
FTP Usage (blocked) The amount of blocked FTP requests over time.
FTP Top Blocked Viruses The number of blocked viruses by FTP activity.
FTP Top Blocked Clients The number of clients with blocked viruses by FTP activity.
FTP Top Blocked Sites The number of clients with blocked viruses by FTP activity.
Email Usage (all) The amount of scanned and blocked email over time.
Email Usage (scanned) The amount of scanned email over time.
Email Usage (blocked) The amount of blocked email over time.
Email Top Blocked Viruses The number of blocked viruses by Email activity.
Email Top Blocked Clients The number of clients with blocked viruses by Email activity.
Email Top Blocked Sites The number of clients with blocked viruses by Email activity.


Virus Blocker Lite Reports

Report Entry Description
Virus Blocker Lite FTP Summary A summary of virus blocking actions for FTP activity.
Virus Blocker Lite Email Summary A summary of virus blocking actions for Email activity.
Virus Blocker Lite Web Summary A summary of virus blocking actions for web activity.
Web Usage (all) The amount of scanned and blocked web requests over time.
Web Usage (scanned) The amount of scanned web requests over time.
Web Usage (blocked) The amount of blocked web requests over time.
Web Top Blocked Viruses The number of blocked viruses by web activity.
Web Top Blocked Clients The number of clients with blocked viruses by web activity.
Web Top Blocked Sites The number of clients with blocked viruses by web activity.
FTP Usage (all) The amount of scanned and blocked FTP requests over time.
FTP Usage (scanned) The amount of scanned FTP requests over time.
FTP Usage (blocked) The amount of blocked FTP requests over time.
FTP Top Blocked Viruses The number of blocked viruses by FTP activity.
FTP Top Blocked Clients The number of clients with blocked viruses by FTP activity.
FTP Top Blocked Sites The number of clients with blocked viruses by FTP activity.
Email Usage (all) The amount of scanned and blocked email over time.
Email Usage (scanned) The amount of scanned email over time.
Email Usage (blocked) The amount of blocked email over time.
Email Top Blocked Viruses The number of blocked viruses by Email activity.
Email Top Blocked Clients The number of clients with blocked viruses by Email activity.
Email Top Blocked Sites The number of clients with blocked viruses by Email activity.


Shield Reports

Report Entry Description
Scanned Sessions The amount of scanned and blocked sessions over time.
Blocked Sessions The amount of blocked sessions over time.
Top Blocked Clients The number of blocked sessions grouped by client.
Top Blocked Usernames The number of blocked sessions grouped by username.
Top Blocked Hostnames The number of blocked sessions grouped by hostname.


Firewall Reports

Report Entry Description
Firewall Summary A summary of firewall actions.
Scanned Sessions The amount of scanned, flagged, and blocked sessions over time.
Top Scanned Hostnames The number of scanned session grouped by hostname.
Top Flagged Hostnames The number of flagged session grouped by hostname.
Top Blocked Hostnames The number of blocked sessions grouped by hostname.
Top Scanned Clients The number of scanned session grouped by client.
Top Flagged Clients The number of flagged session grouped by client.
Top Blocked Clients The number of flagged session grouped by client.
Top Scanned Usernames The number of scanned session grouped by username.
Top Flagged Usernames The number of flagged session grouped by username.
Top Blocked Usernames The number of flagged session grouped by username.
Top Scanned Server Ports The number of scanned session grouped by server (destination) port.
Top Flagged Server Ports The number of flagged session grouped by server (destination) port.
Top Blocked Server Ports The number of flagged session grouped by server (destination) port.


Web Filter Lite Reports

Report Entry Description
Web Filter Lite Summary A summary of web filter lite actions.
Web Usage (all) The amount of total, flagged, and blocked web requests over time.
Web Usage (scanned) The amount of total, flagged, and blocked web requests over time.
Web Usage (flagged) The amount of flagged, and blocked web requests over time.
Web Usage (blocked) The amount of flagged, and blocked web requests over time.
Top Categories (by request) The number of web requests grouped by category.
Top Categories (by size) The sum of the size of requested web content grouped by category.
Top Flagged Categories The number of flagged web requests grouped by category.
Top Blocked Categories The number of blocked web requests grouped by category.
Top Sites (by request) The number of web requests grouped by website.
Top Sites (by size) The sum of the size of requested web content grouped by website.
Top Flagged Sites The number of flagged web requests grouped by website.
Top Blocked Sites The number of blocked web requests grouped by website.
Top Domains (by request) The number of web requests grouped by domain.
Top Domains (by size) The sum of the size of requested web content grouped by domain.
Top Flagged Domains The number of flagged web requests grouped by domain.
Top Blocked Domains The number of blocked web requests grouped by domain.
Top Hostnames (by requests) The number of web requests grouped by hostname.
Top Hostnames (by size) The sum of the size of requested web content grouped by hostname.
Top Flagged Hostnames The number of flagged web request grouped by hostname.
Top Blocked Hostnames The number of blocked web request grouped by hostname.
Top Clients (by requests) The number of web requests grouped by client.
Top Clients (by size) The sum of the size of requested web content grouped by client.
Top Flagged Clients The number of flagged web request grouped by client.
Top Blocked Clients The number of blocked web request grouped by client.
Top Usernames (by requests) The number of web requests grouped by username.
Top Usernames (by size) The sum of the size of requested web content grouped by username.
Top Flagged Usernames The number of flagged web request grouped by username.
Top Blocked Usernames The number of blocked web request grouped by username.


OpenVPN Reports

Report Entry Description
OpenVPN Summary A summary of OpenVPN actions.
OpenVPN Bandwidth Usage The approximate amount of data transfered over openvpn connections.
OpenVPN Events The amount of login and logout events over time.
OpenVPN Sessions The amount of openvpn sessions over time.
Top Clients (by usage) The number of bytes transferred grouped by remote client.


WAN Failover Reports

Report Entry Description
WAN Failover Summary A summary of WAN Failover actions.
WAN Disconnect Events The number of disconnect events grouped by WAN.


Events

The event viewer provides a view of all web events and how they are handled by SSL Inspector. It can be used to view traffic on the network in real time or as a debugging tool to view how SSL Inspector is operating.

Events:


Columns/Conditions

Conditions can be used to filter the traffic information shown in reports and events. Each condition has a corresponding column that can be viewed in the events viewer. Multiple conditions can be added to drill down and inspect SSL Inspector data. For a list of conditions, refer to the sessions table in Global DB Schema.

Status

The status of the session that generated the event.

  • INSPECTED means the session was fully processed by the inspector, and all traffic was passed through all the other applications and services.
  • IGNORED means the session was not or could not be inspected, so the traffic was completely ignored and not analyzed by any applications or services.
  • BLOCKED means the traffic was blocked because it did not contain a valid HTTPS request, and the Block Invalid Traffic option was enabled.
  • UNTRUSTED means the traffic was blocked because the server certificate could not be authenticated.
  • ABANDONED means the traffic was blocked because of a problem with the underlying SSL session.



SSL Inspector FAQs

Does SSL Inspector work with Captive Portal?

Yes, SSL Inspector will decrypt HTTPS request to HTTP which will then be handled just like normal HTTP request by Captive Portal. If the client is captured and not authenticated they will be redirected to a login page.


SSL Inspector does not seem to be working with google and Chrome. Why?

Newer Chrome versions use a custom protocol call QUIC to communicate with google. Adding a Firewall Rule or Filter Rule to block port 443 UDP will block QUIC and force chrome to use regular HTTPS which will be handled normally.