Forum Discussion

neeeewbie's avatar
Aug 11, 2022

SSLO make malfunction when configure SNI Block and IP intercept condition.


I need your help!

SSLO make malfunction when configure condition of Block pinner site and intercept IP Address

environment:configure on security policy

1st match : Block pinner site and intercept IP Address

2nd match : bypass some IP Address

3rd match : all traffic bypass 


malfunction: configure IP can't access block pinner site and other site can access but other client can't access internet

but it is work well when change order 1 and 2

please let me know if you know that!





2 Replies

  • SSLO security policy rules are nested and evaluated top-down. So basically, like any firewall rule, once a match is made, no further rule processing is done.

    It's also important to understand that some rule conditions require server-side validation. In this case, the URL category conditions require SSLO to reach out to the server to evaluate the server certificate. The Pinners rule includes a category lookup. If you have some traffic that would break becuase of this server side "look", for example when the server requires mutual TLS (mTLS) authentication, you need to move your layer 3 and layer 4 rules above any rules that do category lookup.