Create rules that decrypt partner, vendor, customer,
and other third-party traffic from the internet to the data center
so you can inspect the traffic and protect your most valuable assets
against malware and other threats.
Create Decryption policy rules to provide
visibility into traffic that enters the data center from the internet
so that you can apply Security policy to that traffic. When you
create a Security policy rule that allows access to a set of data
center servers, create a decryption policy rule to decrypt that
traffic. In Create Internet-to-Data-Center Application Allow Rules, we created
a Security policy rule that allows access from internet to the web
server tier in the data center, using only allowed applications.
Here we create a decryption policy rule (
) to decrypt the
traffic that this rule allows.
To decrypt traffic so that
a Security policy rule can examine it and allow or block it based
on policy, the Decryption policy rule must use the same source zone(s)
and user(s) as the analogous security policy rule, and the same
destination zone and address (often defined by a dynamic address group so that as you add
or remove servers, you can update the firewall without a commit
operation). Defining the same source and destination in the Security
policy and in the Decryption policy applies both policies to the
Decrypt allowed traffic from the internet to data
center web servers.
This rule shows how to decrypt traffic from externally
initiated connections to the data center. For example, the application
allow rules we created enable external traffic access to the data
center web serves, using only certain applications. To protect the
data center web servers, decrypt traffic so the firewall can inspect
it and apply threat prevention profiles.
To create this rule:
Specify the same source
and destination as in the analogous security policy rule. In this
case, the Source is the
and the Destination is the servers specified in the
address group in the
On the Options tab, set the Action to
the decryption Type to
SSL Inbound Inspection
Specify the server certificate for the web servers (
) and apply the data center best practice
Decryption Profile to apply SSL Inbound Inspection and SSL Protocol
Settings to the traffic.
Create similar Decryption policy rules for traffic from
the internet to any other server group, if such access is allowed,
and for the other applications you allow.