Create SSL Policy

Create and enable SSL policy to ensure the
WSS
correctly intercepts and exempts SSL traffic. Intercepting SSL traffic allows the
WSS
to decrypt HTTPS connections, examine the contents, and perform policy checks. Exempting SSL traffic allows traffic to remain encrypted.
By default,
WSS
does not intercept:
  • HTTPS traffic that is categorized as
    Brokerage/Trading
    ,
    Financial Services
    , and
    Health
    , because this content usually involves private, sensitive personal account information.
  • Applications that are listed in the
    SSL Bypass List
    or
    Mobile App Bypass
    list because their traffic is known to break due to certificate pinning issues.
If traffic is from a mobile device or bypassed (not intercepted), then
WSS
does not apply CASB Gatelets or Web Isolation to the traffic. These features are currently not available for mobile traffic, and bypassed traffic cannot be isolated.
For more information on decrypting SSL traffic, see About Scanning Encrypted Traffic.

Technical Requirement

About the SSL Bypass List

Symantec
maintains an initial list of applications in the
SSL Bypass List
that are known to break when their traffic is intercepted due to certificate pinning. The list is continually being updated; however, traffic for additional applications and domains that are not included in the list might break. For these applications and domains,
Symantec
recommends using the policy editor to exempt them from SSL interception.
For the list of applications in the
SSL Bypass List
, see: https://knowledge.broadcom.com/external/article?legacyId=TECH252764
The sites and applications in the
SSL Bypass List
are also exempted for mobile devices.

About Mobile SSL Policy

You can apply SSL interception policy for mobile devices using the policy editor.
Symantec
maintains an initial list of applications in the
Mobile SSL Bypass
list that are known to break when their traffic is intercepted due to certificate pinning. The list is continually being updated; however, traffic for additional applications and domains that are not included in the list might break. For these applications and domains,
Symantec
recommends using the policy editor to exempt them from SSL interception.
For the list of applications in the
Mobile SSL Bypass
list, see: https://knowledge.broadcom.com/external/article?legacyId=TECH252764
In the default policy, the sites and applications in the
Mobile App Bypass
list are only exempted for mobile devices (unless the site or application is also listed in the
SSL Bypass List
).

About SSL Sources and Destinations

You can write policy to intercept and exempt traffic for:
  • Sources:
    Define policy that instructs
    Web Security Service
    to not intercept SSL traffic from these sources. The portal enables you to select from previously defined lists or other elements as defined in your network.
  • Destinations:
    Define policy that instructs
    Web Security Service
    to not intercept SSL traffic to these destinations. The portal enables you to select from previously defined lists or other elements as defined in your network.
For more information on the policy editor, see About the Content Filtering Rule Editor.
Element Type
Available Options
Sources
  • Detected authentication elements (
    User
    ,
    User Group
    )—As provided by the authentication method (
    Auth Connector
    /SAML).
    Be advised that user/group data is not always available before SSL Interception occurs.
  • IP/Subnet
    —Select from previously entered IP addresses/subnets that were defined on the
    Policy > Object Library
    page.
  • Locations
    —Exempt entire locations defined that are defined on the
    Connectivity > Locations
    page.
  • Deployment Type
    —Exempt all SSL traffic from a specific connectivity method. For example, do not intercept SSL traffic from any client connecting with Roaming Captive Portal or from mobile devices.
  • Lists (
    User
    ,
    User Group
    ,
    Location
    ,
    IP/Subnet
    )—These are previously defined object lists. To create a list to use specifically for this SSL policy, navigate to
    Policy > Object Library > User Defined Objects
    .
Destination
  • Category
    —Exempt web traffic that belongs to specific categories.
  • URL
    and
    IP/Subnet
    —Exempt specific URLs or IP addresses. Select from previously entered domains that were defined on the 
    Policy > Object Library > User Defined Objects
    page.
  • Lists (
    Category List
    ,
    URL List
    ,
    IP/Subnet List
    )—These are previously defined object lists. To create a list to use specifically for this SSL policy, navigate to
    Policy > Object Library > User Defined Objects
    .
Before you enable policy, ensure you have downloaded and distributed the root certificate. See Install Encrypted Traffic Certificates.

About OCSP Validation

The OCSP Validation toggle provides you with the ability to enable or disable OCSP validation checks, so that you can:
  • Decide whether sites that fail validation are at risk for being untrustworthy.
  • Resolve any errors that are produced when OCSP validation is enabled.

Procedures

To create policy to exempt or intercept SSL traffic:
  1. Navigate to
    Policy > TLS/SSL Interception
    .
  2. Expand the
    TLS/SSL Interception Policy
    drop-down and click
    Add Rule
    .
  3. (Optional) Add sources:
    1. Click
      Add Sources
      .
    2. From the
      Available Sources
      drop-down lists, expand an element to filter the view.
    3. Select one or more sources to create policy for and click the right-pointing arrow to move sources to the
      Source Conditions
      list.
    4. (Optional) For most categories, you have the option to create a new source. The
      New
      drop-down list allows you to create a new object and add it to the policy from this dialog. This might be helpful if you are immediately troubleshooting from a source that is not currently part of a custom list.
    5. Click
      Save
      .
  4. (Optional) Add destinations:
    1. Click
      Add Destinations
      .
    2. From the
      Available Destinations
      drop-down lists, expand an element to filter the view.
    3. Select one or more destinations to create policy for and click the right-pointing arrow to move destinations to the
      Destination Conditions
      list.
    4. (Optional) ) For most categories, you have the option to create a new source. The
      New
      drop-down list allows you to create a new object and add it to the policy from this dialog. This might be helpful if you are immediately troubleshooting for a destination that whose traffic is blocked by SSL policy.
    5. (Optional) You can create policy that uses
      Symantec
      's list of mobile applications that are known to break when decrypted. To add the list to policy, from the
      Available Destinations
      screen, click
      Mobile App Bypass
      .
    6. Click
      Save
      .
  5. Assign a verdict:
    • To intercept traffic for your defined sources and/or destinations, click
      Intercept
      .
    • To exempt traffic for your defined sources and/or destinations, click
      Do Not Intercept
      .
  6. Click
    Add Rule
    .
  7. After defining interception and exemption policies, enable SSL policy:
    1. Toggle the switch to
      Enabled
      .
    2. Click
      Activate
      .
      WSS
      now intercepts SSL traffic per the defined policy.
  8. (Optional) Configure the service to pass-through specific encrypted destination URLs, IP addressses/subnets, or Categories.