Symantec recommends that all SGOS-based appliances are installed with the strongest security policy possible. In an ideal world, denying all traffic from HTTPS sources that offer invalid HTTPS certificates would be a good first step. Unfortunately, that type of policy can result in blocking your users from accessing legitimate resources, as not all HTTPS certificates are properly maintained.
This article provides steps to configure policy for the purposes of monitoring HTTPS traffic, and recording invalid certificates in the SSL access log. You can use your preferred log analysis tool, (such as Blue Coat Reporter, or Splunk) to analyze this data and report on the sites your users access most that happen to present invalid HTTPS certificates. With this data in hand, you can plan further changes to your SSL security policy to whitelist trusted sites that don’t offer good HTTPS certificates, and prevent users from accessing unknown sites that do the same.
This article applies to forward proxy deployments of SGOS appliances: ProxySG, Advanced Secure Gateway, and SWG VA.
In following this solution, you will create a new access log with a custom format to track SSL errors, a policy to use the new log, and tweak the default Online Certificate Status Protocol (OCSP) settings to prevent the appliance from rejecting this traffic during your analysis phase.
Create a new access log via the proxy Command Line Interface (CLI).
Log in to the proxy CLI with SSH, and enter enable mode (en) and configuration terminal mode (conf t).
Enter the following commands:
(config access-log)# create format bcreporterssl_v2