ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Group or user based rule is not working for HTTPS sites on the Cloud


Article ID: 171451


Updated On:


Web Security Service - WSS


While creating a rule based on an Active Directory group or username to block or allow a certain HTTPS site, it is noted that the rule is not applying correctly. The HTTP (non-secure) version of the site works fine and a global rule to deny or allow the same site does work correctly as well.


Verdict is not applied due to SSL Interception not working for this particular site. Web Security Service needs to inspect the contents of the HTTPS traffic in order to correctly apply policy decision based on user or group.


In your ThreatPulse portal

  • Make sure SSL Interception is enabled.
  • Check the configuration of Service -> SSL Interception -> Exemptions
    • In Destinations, make sure the site is not exempted by URL, category, and IP/subnet
    • In Sources, make sure your location, user, subnet/IP or access method is not defined as an exemption
  • Additionally, check for any object defined under Solutions -> Threat Protection -> Policy -> Trusted Sources / Destinations
    • For any URL, IP or network object defined here, SSL interception will be effectively disabled, e.g. If you have subnet defined under Trusted Sources all traffic coming from clients on this subnet will be exempted from inspection, therefore, breaking user or group based policies.