Adding websites to the Incident List

• By Certificate provides greater security. When a site is added by certificate:
  • Clients cannot bypass the policy by using the IP address rather than the URL.
  • Content Gateway retrieves the server certificate and adds the site to the Incident List.

    If sites are blocked by certificates, wildcard certificates are not accepted, even if the common name is recognized.

• Select By URL to tunnel, allow, or blacklist the site.

• Tunnel: (Valid for By URL only) The site is tunneled. Traffic is not decrypted and Content Gateway does not check the certificate.
  Important:

  Tunnel by URL does not work for all transparent proxy requests.

  It works under these conditions:

  • When the client application uses TLS and includes an SNI (server name indication), Content Gateway checks the Incident list for the hostname in the SNI.
  • When there is no SNI, Content Gateway connects to the origin server to retrieve the certificate. If the Common Name is a unique FQDN, Content Gateway looks it up in the Incident list. If the Common Name contains a “*” (wildcard), or is not a unique FQDN, Content Gateway looks for the IP address in the Incident list.

  Alternatively, use ARM Static bypass rules.

• Allow: Users can access the site even if the certificate is not valid. Traffic is decrypted, and certificate checking is disabled.
• Blacklist: The site is completely blocked. Users cannot access this site even if the Verification Bypass is configured.

As a best practice, administrators should manually add sites to the Incident List after monitoring network traffic for a period of time with the CVE disabled. (See Configuring validation settings.) This enables administrators to improve performance by tunneling trusted sites and blocking those they know should not be accessed.