Ensure Rule Matching for Encrypted Internet Traffic

🚧

Important

In order to ensure that internet rules match encrypted traffic as expected, you must add an extra rule to decrypt the traffic. Essentially, traffic cannot be inspected until after it is decrypted, and cannot match a rule until it can be inspected, and a single rule cannot both decrypt and inspect a transaction.

This situation is best explained using the following example scenario.

Scenario

A Network ("Network1") source makes a web request to URL https://www.mydomain.com/myurl.

Rule does not match the traffic:
Top rule: Source: Any. Destination: https://www.mydomain.com/myurl. Decryption is enabled.
2nd Rule: Source Any. Destination: Any. Decryption is disabled.
Result: The 2nd rule will apply.
Explanation: The top rule specifies a destination that can only be identified if decryption has occurred for the request. However, because the only place decryption is enabled is in that same rule, that rule will never be matched and therefore decryption will not occur.

Rule matches the traffic:
Top rule: Source: Any. Destination: https://www.mydomain.com/myurl. Decryption can be enabled or disabled.
2nd Rule: Source Any. Destination: Any. Decryption is enabled.
Result: The top rule will apply
Explanation: The 2nd rule triggers decryption, giving Secure Access visibility to the URL being requested, but does not match the rule. The rules are then re-run, top down, with the URL information. This results in matching the top rule.

---

About Configuring Destinations in Private Access Rules < Add Access Rules > Block Internet Access to Geographic Locations