Adding websites to the Incident List

Use the Configure > SSL > Incidents > Add Website tab to specify sites that you want to allow, blacklist, or tunnel. Sites that are added manually are assigned chronological Ticket IDs. These appear on the Incident List. See Viewing incidents.

Steps

  1. Enter the URL of the site to add to the Incident List.
    Note: When specifying an IPv6 address, enclose the address in square brackets ([]).
  2. Select either By Certificate or By URL.
    • By Certificate provides greater security. When a site is added by certificate:
      • Clients cannot bypass the policy by using the IP address rather than the URL.
      • Content Gateway retrieves the server certificate and adds the site to the Incident List.

        If sites are blocked by certificates, wildcard certificates are not accepted, even if the common name is recognized.

    • Select By URL to tunnel, allow, or blacklist the site.
  3. In the Action drop-down list, specify if the site should be added with Tunnel, Allow, or Blacklist status.
    • Tunnel: (Valid for By URL only) The site is tunneled. Traffic is not decrypted and Content Gateway does not check the certificate.
      Important:

      Tunnel by URL does not work for all transparent proxy requests.

      It works under these conditions:

      • When the client application uses TLS and includes an SNI (server name indication), Content Gateway checks the Incident list for the hostname in the SNI.
      • When there is no SNI, Content Gateway connects to the origin server to retrieve the certificate. If the Common Name is a unique FQDN, Content Gateway looks it up in the Incident list. If the Common Name contains a “*” (wildcard), or is not a unique FQDN, Content Gateway looks for the IP address in the Incident list.

      Alternatively, use ARM Static bypass rules.

    • Allow: Users can access the site even if the certificate is not valid. Traffic is decrypted, and certificate checking is disabled.
    • Blacklist: The site is completely blocked. Users cannot access this site even if the Verification Bypass is configured.
  4. Click Apply.

    As a best practice, administrators should manually add sites to the Incident List after monitoring network traffic for a period of time with the CVE disabled. (See Configuring validation settings.) This enables administrators to improve performance by tunneling trusted sites and blocking those they know should not be accessed.