Firebox Proxy Problem
I have quite a few websites that does not work as expected when accessed. Problems can vary from being unable to sign in or a drop down list fails to populate.
The only way I can get the site to work normally is to bypass content inspection. Here's the latest website where I have a problem accessing:
https://www.waters.com/nextgen/us/en/account/sign-in.html
after entering a username/password, clicking Sign in button takes me nowhere. It's stuck. It works fine with *.waters.com in the content inspection Exception list set to Allow.
I suppose that means if the sites in Exception list are compromised and host malware, Watchguard won't be able to stop drive-by download because it does not inspect the traffic, is that correct? Is there a better way to resolve this problem?
Best Answer
-
Options
Simply put, if you or your users/customers want/need to access a HTTPS web site which does not work with Inspect enabled, you only have 1 choice - don't inspect traffic to that web site.
5
Answers
one other thing... I can't find Firebox Proxy in category list when posting my question. Can someone move this please? Thank you.
Please Move This doesn't happen.
Just live with it.
We will find it.
Many sites do not work with Content Inspection enabled.
That is the way that it is.
Most often, it is the site itself which is the cause of this, not a general issue with XTM's Content Inspection.
Many banks & other financial institutions, and some Microsoft sites, verify that their cert is being used, most likely to prevent man-in-the-middle attacks - which is really what XTM's Inspection potentially is.
I have several dozen Allow entries in my list, which is in addition to the WatchGuard Predefined Content Inspections list.
https://community.watchguard.com/watchguard-community/categories/firebox-proxy-and-subscription-services
Gregg Hill
Bruce is dead on about "Most often, it is the site itself which is the cause of this, not a general issue with XTM's Content Inspection.
Many banks & other financial institutions, and some Microsoft sites, verify that their cert is being used...."
Any site or application that uses client-side certificates will break under HTTPS with DPI enabled and will need to have an exclusion added. It is an ongoing chasing of one's tail because some sites change from server-side to client-side certs, and we find out when those sites start to fail.
Gregg Hill
I asked moderators to move it to proper group because in most discussion forums I've been to, mods arrange things the way they should be. I get "post this in so and so group.." kinda reply if I post it in the wrong group. I don't really care if this discussion isn't movable. I know where I post mine.
So... simply put, we're at the mercy of those sites that we trust (bypass packet inspection) and there is no other way safer way to make this work, correct?
Oh I know how to get there but when I created a new post, Firebox - Proxy (and a whole lot of other categories) is not on the list. In other words, I can't post anything new in Firebox - Proxy so I picked Firebox - Hardware.
ok, thanks.