ProxySG & Advanced Secure Gateway

 View Only
  • 1.  How to differentiate SSL Intercept and SSL Bypass in Policy Trace logs

    Posted Jun 25, 2025 09:22 AM

    Hi, 

    I've collected Policy trace logs and want to know to understand the SSL Intercept and SSL Bypass for the same URL. 

    Ex: krisp.ai application Policy trace logs collected for both SSL intercept and SSL Bypass. 

    Thankyou in Advance. 



  • 2.  RE: How to differentiate SSL Intercept and SSL Bypass in Policy Trace logs

    Posted Jun 30, 2025 03:55 AM

    Hi,
    when you add this to a CPL-Layer: 

    <proxy>
    url.domain="nasa.gov"   trace.request(yes) trace.destination("Trace-log123")

    <ssl>
    url.domain="nasa.gov"   trace.request(yes) trace.destination("Trace-log123")

    and!!!
    SSL-Interception is active:

    You will find: 
    1. tcp://nasa.gov - this is the TCP-Handshake between Proxy and Webserver
    2. ssl://nasa.gov - this is the SSL-Handshake, where Proxy and Webserver negotiate the Chipers, tls-version and certificate(s).
    3. GET https://nasa.gov/path/index.html - This is the Download of Files/html etc. from the Webserver.

    When SSL-Interception is switched off: you will only see the TCP and the SSL
    When SSL-Detection is switched off: you should only see the TCP

    Or: 
    When the default rule on your Proxy is set to deny - you would need to allow bypassed-traffic in the VPM/CPL - you could add an Trace-Log (trace.request(yes) trace.destination("bypass-log") to this rule, that allows the bypass-traffic. (Ok this will also work with default on allow).
    And in the other case: add an trace-log to the ssl-interception rule: (trace.request(yes) trace.destination("SSL-Intercepted")




  • 3.  RE: How to differentiate SSL Intercept and SSL Bypass in Policy Trace logs

    Posted 30 days ago

    First of all, in the access logs, if you only see CONNECT request and SSL, no https - this means there was no interception.

    The different protocols (TCP, SSL and HTTPS) that appear in Reporter reports

    Secondly, you can enable trace in SSL Interception or SSL Access layer, and it will show you the SSL policy avaluation.

    One last thing, if you only see CONNECT requests, this means the application probably doesn't trust the Certificate or something else in the TLS\SSL and just keeps trying to connect again after dropping the connection each time.