Application Control: can't override block action with custom signature when HTTPS

serinfbco · ‎11-28-2017

The "proxy" category is blocked but we wan't to allow only one legit web site. We created a custom signature with the right pattern. In the override section this custom application is set to "monitor". But this site still blocked.

The problem seems that the custom signature worked and I see in the log the "pass" action when the service is HHTP BUT after that the workflow continue to HTTPS service and reach the default signature "Proxy.Websites" and at that time the action is set to "block"... So how to override the bock action? Is it possible to stop the workflow in the custom signature to stop processing after the "allow" action? We set the weight of the signature to 255 but this not working. Here the details:

The custom signature:

F-SBID( --attack_id 9524; --name "Permit.proxy.XXX"; --pattern "proxy.XXX.ca"; --protocol tcp; --no_case; --flow from_client; --context host; --app_cat 6; --weight 255;)

hmtay_FTNT · ‎12-15-2017

Adding the discussion on PM for references.

The reason the --depend-on and --scan-range dont fix the issue is because the signatures in IPS Definitions in 5.2 do not have those syntax. They are only used in 5.4 and above. One way you can get around now is to enable Proxy.Websites on Application Control and use the Web Filter's "Proxy Avoidance" to filter proxy websites for now. Then you can add an exception in the Static URL filter for your sites.

View solution in original post

hmtay_FTNT · ‎12-15-2017

Adding the discussion on PM for references.

The reason the --depend-on and --scan-range dont fix the issue is because the signatures in IPS Definitions in 5.2 do not have those syntax. They are only used in 5.4 and above. One way you can get around now is to enable Proxy.Websites on Application Control and use the Web Filter's "Proxy Avoidance" to filter proxy websites for now. Then you can add an exception in the Static URL filter for your sites.