Chapter 41 SSL Inspection
ZyWALL USG Series User’s Guide
773
41.3 Exclude List Screen
There may be privacy and legality issues regarding inspecting a user's encrypted session. The legal issues
may vary by locale, so it's important to check with your legal department to make sure that it’s OK to
intercept SSL traffic from your Zyxel Device users.
To ensure individual privacy and meet legal requirements, you can configure an exclusion list to exclude
matching sessions to destination servers. This traffic is not intercepted and is passed through
uninspected.
Click
Configuration > UTM Profile > SSL Inspection > Exclude List
to display the following screen. Use
Add
to put a new item in the list or
Edit
to change an existing one or
Remove
to delete an existing entry.
Action
To edit what action the Zyxel Device takes when a packet matches a signature, select the
signature and use the
Action
icon.
none
: Select this action on an individual signature or a complete service group to have the
Zyxel Device take no action when a packet matches the signature(s).
drop
: Select this action on an individual signature or a complete service group to have the
Zyxel Device silently drop a packet that matches the signature(s). Neither sender nor receiver
are notified.
reject-sender
: Select this action on an individual signature or a complete service group to have
the Zyxel Device send a reset to the sender when a packet matches the signature. If it is a TCP
attack packet, the Zyxel Device will send a packet with a ‘RST’ flag. If it is an ICMP or UDP
attack packet, the Zyxel Device will send an ICMP unreachable packet.
reject-receiver
: Select this action on an individual signature or a complete service group to
have the Zyxel Device send a reset to the receiver when a packet matches the signature. If it is
a TCP attack packet, the Zyxel Device will send a packet with an a ‘RST’ flag. If it is an ICMP or
UDP attack packet, the Zyxel Device will do nothing.
reject-both
: Select this action on an individual signature or a complete service group to have
the Zyxel Device send a reset to both the sender and receiver when a packet matches the
signature. If it is a TCP attack packet, the Zyxel Device will send a packet with a ‘RST’ flag to the
receiver and sender. If it is an ICMP or UDP attack packet, the Zyxel Device will send an ICMP
unreachable packet.
#
This is the entry’s index number in the list.
Status
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is
inactive.
SID
Type the exact signature ID (identification) number that uniquely identifies a Zyxel Device IDP
signature.
Log
These are the log options. To edit this, select an item and use the
Log
icon.
Action
This is the action the Zyxel Device should take when a packet matches a signature here. To edit
this, select an item and use the
Action
icon.
OK
Click
OK
to save your settings to the Zyxel Device, and return to the profile summary page.
Cancel
Click
Cancel
to return to the profile summary page without saving any changes.
Table 283 Configuration > UTM Profile > SSL Inspection > Profile > Add / Edit (continued)
LABEL
DESCRIPTION
Summary of Contents for USG110
Page 27: ...27 PART I User s Guide ...
Page 195: ...195 PART II Technical Reference ...
Page 309: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 309 ...
Page 313: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 313 ...
Page 358: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 358 ...
Page 373: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 373 ...