Overview

HTTPS traffic is hard to classify because once the secure connection between the client and the server is established, the Exinda cannot remember what the certificate common-name is and it classifies the traffic as HTTPS.

Information

Find the HTTPS URL 

We could get a sneak peek of the initiation of this connection to find the certificate common_name. If we can manage to go to Monitor > Real Time, filter the IP involved and see what flows are seen from the beginning of the conversation, one of them might show up as HTTPS followed by a URL enclosed in square brackets. This URL is what we call common_name, which is the server that is publishing those certificates.

Block the Traffic

In order to block this traffic, we can create an Application Object (under Configuration > Objects > Applications) selecting SSL as the L7 signature followed by common_name and then the URL seen in Real Time traffic. Then, create a discard policy by going to Optimizer with this newly created application object. For the common_name URL, it is recommended to only apply the root domain of the URL or just some part of it and not all (Exinda will assume that every URL that contains this section will be included in the application object.

Restart the Optimizer

Finally, restart the Optimizer. Since most of the users already established a connection, this might not work immediately, it will take some time for the client and the server to re-establish the certificate connection, and for the worst case scenario, the PCs need to be restarted for this to work.