SSL interception on exception cases in Web Security Service

book

Article ID: 169084

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

By default, the Symantec Web Security Service (WSS) does not intercept inbound HTTPS traffic from destination web locations and applications. With the default configuration, the WSS applies Content Filtering policy to the furthest extent possible; however, it cannot apply policies to transactions that require deeper inspection, such as web application controls or malware scanning.

Enabling SSL Interception allows the WSS to decrypt HTTPS connections, examine the contents, and perform policy checks.
If SSL Interception is not enabled, some encrypted web traffic is still filtered because WSS intercepts on exception.
This article describes the possible cases / scenarios that the WSS intercepts web traffic despite Cloud SSL Interception set to Disable.

Cause

The WSS requires SSL Interception on traffic to apply policies to transactions that require deeper inspection, such as web application controls, malware scanning, blocked categories, and so on. Hence, the WSS intercepts on exception.



 

Resolution

The "Intercept on exception" cases, but not limited to:

  • Destination IP and URL category listed under "Content Filtering > Policies" Permanently Blocked Categories on row G1 (the list contains predefined one category only: Child Pornography
  • Destination IP and URL category listed under "Content Filtering > Policies" Blocked Categories on row G4.
  • Destination IP listed under "Content Filtering > Policies" Blocked Destination IPs/Subnets on row G4.
  • Destination domain/URL listed under "Content Filtering > Policies" Blocked Domain/URLs on row G4.
  • Traffic source and/or destination belongs to one or more of WebApp listed under "Content Filtering > Policies" Blocked Web Applications on row G4.
  • Any traffic (Source/Destination/WebApp) that Verdict is set to Block or Block--Password Override in any "Content Filtering > Policies" rule under Group A or Group B.
  • Destination IP and URL category listed under "Threat Protection > Policies" Permanently Blocked Categories on row G3 (the list contains predefined list of the following 5 categories: Malicious Outbound Data/BotnetsMalicious Sources/MalnetsPhishingProxy Avoidance, Spam)
  • Any other criteria base on cloud WSS evaluation (in areas of DNS, server certificate, site content, and so on) that the content is potentially unsafe.
  • Others