Hello All,
I have a question about the ProxySG's capability of SSL interception. I am in a position where I do not want to break and inspect User data, only want to have SSL interception enabled for Block pages on blocked categories only. Below is my setup and my understanding.
1. I have SSL interception setup on HTTPS interception on exception
2. My source right now is my test workstation
3. Destination is the category I am blocking
I have a rule in policy to present a block page. I tested this and when I go to a URL in that category I see my block page and the Sub CA certificate issued from the Proxy signing the request. When I go to a non blocked category I see the certificates of the OCS not the SUB CA ( the Proxy). Now to me this seems that everything is working but I have a question.
Is the proxySG only performing Man in the Middle operations (meaning breaking the TLS connection between client and proxy, performing certificate emulation operations, etc) on those blocked categories or is it performing break and inspect across all traffic? The worry is we are breaking and inspecting user data when the goal is to only break the TLS connection and feed our block page when a blocked category is hit. Nothing else. Does the ProxySG determine the category before TLS connection is made and data is presented to the proxy?
Is there a way I can show this? I pulled a PCAP file of me hitting random sites both blocked and not blocked. I would like to show in the proxy that this is "uninterrupted SSL" traffic and not decrypted traffic. Thank you for your support.