Create Intra-Data-Center Decryption Policy Rules

Create rules that decrypt east-west traffic between data center servers so you can inspect the traffic and protect your most valuable resources against malware and other threats.
Why decrypt traffic inside the data center? After all, there are no users and the data center is a safe environment deep inside the secure network. But nothing could be farther from the truth. The data center is a perfect place for attackers to hide precisely because many people think the data center is safe and don’t look there. But the same basic tenet that’s true in the rest of the network holds true in the data center: you can’t protect yourself against what you can’t see. Decrypt encrypted data center traffic so that the firewall can inspect traffic, control access, make threats visible, and protect your valuable assets.
Some data center traffic is unencrypted (cleartext). Don’t enable decryption on cleartext flows because there is nothing to decrypt.
In Create Intra-Data-Center Application Whitelist Rules, we created Security policy rules that allow servers involved with Finance Department applications that are in different application tiers to communicate with each other. Here we create analogous Decryption policy rules to decrypt the traffic that those rules allow.
  1. Decrypt finance application traffic between the web server tier and the application server tier.
    This rule decrypts the traffic flowing between the web server tier and the application server tier for the Finance department’s billing servers so that the firewall can see the traffic and protect the servers in each tier against potential threats.
    web-to-app-server-decrypt-pol-rule-intra-dc.png
    To create this rule:
    • Specify the same source and destination as in the analogous Security policy rule. In this example, the source is the
      Web-Servers
      dynamic address group in the
      Web-Server-Tier-DC
      zone, and the destination is the
      Billing-App-Servers
      in the
      App-Server-Tier-DC
      zone.
    • On the Options tab, set the Action to
      Decrypt
      and the decryption Type to
      SSL Forward Proxy
      . Apply the data center best practice Decryption Profile to apply SSL Forward Proxy and SSL Protocol Settings to the traffic.
  2. Decrypt finance application traffic between the application server tier and the database server tier.
    This rule decrypts the traffic flowing between the application server tier and the database server tier for the Finance department’s billing servers so that the firewall can see the traffic and protect the servers in each tier against potential threats.
    app-to-db-server-decrypt-pol-rule-intra-dc.png
    To create this rule:
    • Specify the same source and destination as in the analogous Security policy rule. In this example, the source is the
      Billing-App-Servers
      dynamic address group in the
      App-Server-Tier-DC
      zone, and the destination is the
      DB2-Servers
      in the
      DB-Server-Tier-DC
      zone.
    • On the Options tab, set the Action to
      Decrypt
      and the decryption Type to
      SSL Forward Proxy
      . Apply the data center best practice Decryption Profile to apply SSL Forward Proxy and SSL Protocol Settings to the traffic.

Related Documentation