Exempting HTTPS Traffic from Inspection
You can use a whitelist to exempt from inspection traffic to specified HTTPS servers. If traffic matches a whitelist entry, it is passed through (not decrypted or inspected).
 | Note: The whitelist applies only to traffic processing based on the SSL forward proxy feature. You would not use a whitelist to exclude inspection of traffic to internal destination servers. If desired, you can use a security policy rule to exempt such traffic from inspection. |
The whitelist is a text file you import into the IDP Series device, using the CLI. The following example shows the format of a whitelist file:
10.0.0.1 1.0.0.0/8 70.34.21.82 trustedsite.com landing.trustedsearch.com
Each line in the whitelist file specifies the IP address or domain name for a destination server. To whitelist multiple sites with one entry, you can use an IP prefix to match address blocks and a domain suffix to include all subdomains.
The domain name in your whitelist should match the common name entry in the certificate presented by the destination server. For example, suppose the certificate for the E-Trade HTTPS server contains the following subject:
C=US, ST=Georgia, L=Alpharetta, O=ETRADE FINANCIAL CORPORATION, OU=Global Information Security, CN=us.etrade.com
You can whitelist this site by adding the string us.etrade.com or the string etrade.com to your whitelist file.
To create a whitelist:
- Log into the CLI as admin and enter su - to switch to root.
- Use an editor like vi to create a whitelist file.
For example:
[root@defaulthost admin]# vi /tmp/whitelist.txt10.0.0.1 1.0.0.0/8 70.34.21.82 etrade.com bankofamerica.com
- Run the following command to import the whitelist
entries:
[root@defaulthost admin]# scio ssl whitelist import /tmp/whitelist.txt
| Note: The whitelist setting takes effect on sessions that are initiated after your change. |
| Note: To update the active whitelist, import an updated whitelist file. To clear the whitelist, import a file that contains only one empty line. |
