Refer to the exhibit. An administrator is troubleshooting why SSL inspection is not working for web traffic. The policy shown is the only policy matching the traffic. What is the most likely reason SSL inspection is failing?
Exhibit
Refer to the exhibit.
config firewall policy
edit 1
set name "SSL-Inspection"
set srcintf "wan1"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "deep-inspection"
set profile-protocol-options "default"
set av-profile "default"
set webfilter-profile "default"
next
endTrap 1: The ssl-ssh-profile is set to 'deep-inspection' but the policy is…
This is essentially the same as B, but B is more precise.
Trap 2: The source interface is 'wan1' but the traffic is coming from…
The exhibit shows the policy matches traffic from wan1 to internal, which is correct for inbound inspection.
Trap 3: The policy has 'set action deny' instead of 'set action accept'.
The action is accept, so traffic is allowed.
- A
The policy is missing the 'set inspection-mode proxy' command.
Deep inspection requires proxy-based inspection mode.
- B
The ssl-ssh-profile is set to 'deep-inspection' but the policy is using flow-based inspection.
Why wrong: This is essentially the same as B, but B is more precise.
- C
The source interface is 'wan1' but the traffic is coming from 'internal'.
Why wrong: The exhibit shows the policy matches traffic from wan1 to internal, which is correct for inbound inspection.
- D
The policy has 'set action deny' instead of 'set action accept'.
Why wrong: The action is accept, so traffic is allowed.