SRX Services Gateway
Highlighted
SRX Services Gateway

SSL Proxy Forward identifying what's going on

‎02-22-2019 07:44 AM

I recently configured the SSL forwarding proxy.  My reason for doing so is because I need to be able to identify HTTPS and FTPS dns names that aren't passing their SNI.   This is important for sites where IP address is not always the same or changes frequently.  I also wanted to be able to incorporate this into my web filtering so I could properly whitelist or blacklist sites that are SSL and do so by the dns name even if there is no SNI available.  I have added it to a policy, and when running the command "show services ssl proxy statistics" it shows several thousand matched and several thousand sessions created but I can't find anywhere to show me what dns names it has read.  I have the enable-trace option turned on and I am looking at the logs but I can't find anything super helpful.

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: SSL Proxy Forward identifying what's going on

‎02-22-2019 09:05 AM

I literally setup the same and I'm also interested. Counters on sessions matched and sessions created but nothing on sessions active. I would have expected some at least for that.

 

I do get flow logs from the SSL proxy I activated for my test policy so I know traffic is hitting it

Highlighted
SRX Services Gateway

Re: SSL Proxy Forward identifying what's going on

‎02-22-2019 10:26 AM

What's really frustrating is the whole point of this was to be able to inspect HTTPS traffic for web filtering however when I put both the UTM policy and the ssl-proxy on the policy as the instructions int his article shows https://kb.juniper.net/InfoCenter/index?page=content&id=KB31122 then it ignores my UTM policy and allows traffic that should have been blocked by it.

Highlighted
SRX Services Gateway

Re: SSL Proxy Forward identifying what's going on

‎02-22-2019 02:46 PM

Got it to work

 

Firewall policy

01.png

 

ssl proxy profile

02.png

 

SRX local-certificate

03.png

The key is having a local certificate that is Certificate Signing capable. We have a Windows Active Directory and a Certification Authority server. I requested a certificate with the above attributes (Certificate signing) and loaded it on the SRX. I then used that as the "root-ca" on my ssl proxy profile. Because I'm using a computer that is member of our domain, the root CA of the domain is already loaded and trusted, which in turn trust any certificate signed by the SRX.

 

What I also found out is the "ignore-server-auth-failure" under the "actions" tab causes the SRX to generate an SSL certificate with an "SSL-PROXY: DUMMY" issuer that causes every browser to error out because of "Invalid CA certificate". For this to work, you MUST go through this step to load public CAs

04.png

 

And delete the "ignore-server-auth-failure" for it to work properly.

 

When all is said and done, all HTTPS website certificates look like they are issued and signed by the SRX

sample Yahoo.com

05.png

 

My application-firewall in my policy is also working now so I assume your web filtering should too

Feedback