After Configuring SSL Decryption, Web Browsing Sessions Do Not Match the Configured Policy

Symptoms

An SSL decryption policy has been put in place but now websites that start as HTTP and switch to HTTPS aren't loading properly anymore.

Issue

Security rule originally was set to allow application SSL and web-browsing and service application-default.

Service Application-default forces the App-ID match only on the ports that are defined as default ports under the applications.

The default service for application web-browsing is TCP/80.

However, once SSL Decryption is configured, the firewall can decrypt SSL sessions and identify the underlying application as web-browsing.

This session is still over TCP/443, but the configured security rule (containing application web-browsing, service application-default) does not match due to TCP/443 not being included in the default port range for application web-browsing, which means the session is denied due to implicit deny.

4350    web-browsing   DISCARD FLOW *NS   192.168.129.207[2514]/L3Trust/6  (172.17.128.129[7301]) vsys1                                     171.161.202.100[443]/L3Untrust  (171.161.202.100[443])

Resolution

There are two ways to resolve this issue:

1. Either change the current rule to permit service any and allowing web-browsing signature to scan over TCP/443 allowing the session to match the decrypted session.
2. Clone existing rule, leaving only application web-browsing and allow service service-http and service-https.

Once the above changes are made, the sessions will match desired rule and show up as Active:

4373    web-browsing   ACTIVE  FLOW *NS   192.168.129.207[2528]/L3Trust/6  (172.17.128.129[4471]) vsys1                                     171.161.202.100[443]/L3Untrust  (171.161.202.100[443])

owner: achitwadgi