Forum Discussion
neeeewbie
MVP
MVPSSLO make malfunction when configure SNI Block and IP intercept condition.
Hi
I need your help!
SSLO make malfunction when configure condition of Block pinner site and intercept IP Address
environment:configure on security policy
1st match : Block pinner site and intercept IP Address
2nd match : bypass some IP Address
3rd match : all traffic bypass
malfunction: configure IP can't access block pinner site and other site can access but other client can't access internet
but it is work well when change order 1 and 2
please let me know if you know that!
thanks
- LiefZimmerman
Admin
neeeewbie - I'll reach out to some SSLO folks and see if they can help.
- Kevin_Stewart
Employee
SSLO security policy rules are nested and evaluated top-down. So basically, like any firewall rule, once a match is made, no further rule processing is done.
It's also important to understand that some rule conditions require server-side validation. In this case, the URL category conditions require SSLO to reach out to the server to evaluate the server certificate. The Pinners rule includes a category lookup. If you have some traffic that would break becuase of this server side "look", for example when the server requires mutual TLS (mTLS) authentication, you need to move your layer 3 and layer 4 rules above any rules that do category lookup.
