HTTPS Content Inspection Exception List Management

Given that WG can update the HTTPS Content Inspection Exception List at any/every version update, there should be a way for us to set up a global list to be used by our HTTPS proxies instead of having to modify each and every one of our HTTPS proxies in order to remove an entry from the WG Content Inspection Exception List.

Gregg brought up that cloudfront.net could be used by potential bad actors, and that if a XTM site is not using Zoom or Asana, that site might want to unselect the *.cloudfront.net entry in every HTTPS proxy action.
Not a pleasant task for a site with many HTTPS policies/proxy actions.

Comments

  • edited July 6

    I have not looked in that part of the HTTPS Proxy for a long time. That list is now HUGE! My count for 2.4.1 U2 is 205 exceptions. I agree that *.cloudfront.net and *.dropbox.com are poor choices for exception - in fact, I would like to see more research work done so that we don't need all these exceptions. Exceptions mean that the content is not scanned and the protection offered by the Firebox is reduced significantly. Nasty business this one..

    Adrian from Australia

  • Ricardo_ArroyoRicardo_Arroyo WatchGuard Representative

    Good morning. I just wanted to let you know, we heard you and are looking into solutions to address your needs. In addition, we've initiated a review of the items listed in the HTTPS Content Inspection Exception List. If there is any functionality or behavior that should change, please feel free to provide feedback. For example, if you feel having those exceptions listed but not automatically enabled would be useful, that is something we can change. Enjoy!

    Ricardo Arroyo | Sr. Technical Product Manager / ThreatSync Guru
    WatchGuard Technologies, Inc.

  • Yes, having those exceptions listed but not automatically enabled would be useful.

    Gregg Hill

Sign In to comment.