Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Exempting HTTPS Traffic from Inspection

    You can use a whitelist to exempt from inspection traffic to specified HTTPS servers. If traffic matches a whitelist entry, it is passed through (not decrypted or inspected).

    Note: The whitelist applies only to traffic processing based on the SSL forward proxy feature. You would not use a whitelist to exclude inspection of traffic to internal destination servers. If desired, you can use a security policy rule to exempt such traffic from inspection.

    The whitelist is a text file you import into the IDP Series device, using the CLI. The following example shows the format of a whitelist file:

    10.0.0.1
    1.0.0.0/8
    70.34.21.82
    trustedsite.com
    landing.trustedsearch.com

    Each line in the whitelist file specifies the IP address or domain name for a destination server. To whitelist multiple sites with one entry, you can use an IP prefix to match address blocks and a domain suffix to include all subdomains.

    The domain name in your whitelist should match the common name entry in the certificate presented by the destination server. For example, suppose the certificate for the E-Trade HTTPS server contains the following subject:

    C=US, ST=Georgia, L=Alpharetta, O=ETRADE FINANCIAL CORPORATION, OU=Global Information Security, CN=us.etrade.com

    You can whitelist this site by adding the string us.etrade.com or the string etrade.com to your whitelist file.

    To create a whitelist:

    1. Log into the CLI as admin and enter su - to switch to root.
    2. Use an editor like vi to create a whitelist file. For example:

      [root@defaulthost admin]# vi /tmp/whitelist.txt
      10.0.0.1
      1.0.0.0/8
      70.34.21.82
      etrade.com
      bankofamerica.com
    3. Run the following command to import the whitelist entries:

      [root@defaulthost admin]# scio ssl whitelist import /tmp/whitelist.txt

    Note: The whitelist setting takes effect on sessions that are initiated after your change.

    Note: To update the active whitelist, import an updated whitelist file. To clear the whitelist, import a file that contains only one empty line.


    Published: 2011-02-08