Set Up Outbound Decryption on Cloud NGFW for AWS

Learn how to configure outbound decryption on the Cloud NGFW for AWS.
With Outbound decryption, Cloud NGFW behaves like an SSL Forward Proxy, and uses its associated certificates to establish itself as a trusted third party (man-in-the-middle) for the client-server session. However, Cloud NGFW keeps your traffic packet headers and payload intact, providing complete visibility of the source’s identity to your destinations.
Outbound decryption uses two certificate objects - Trust and Untrust. The NGFW presents the trust certificate to clients during SSL decryption if the client is attempting to connect to a server that has a certificate signed by a trusted certificate authority (CA). Alternatively. the NGFW presents the untrust certificate to the client attempting to connect to a server that has a certificate signed by a CA that the NGFW does not trust.
You can configure the NGFW resource to decrypt the SSL traffic leaving your VPC or subnet. You can then enforce App-ID and security settings on the plaintext traffic, including Antivirus, Vulnerability, Anti-Spyware, URL Filtering, and File-Blocking profiles. After decrypting and inspecting traffic, the firewall re-encrypts the plaintext traffic as it exits the firewall to ensure privacy and security.
This procedure only defines the certificates that the firewall uses for Outbound TLS Decryption. You must enable Outbound TLS Decryption during rule creation.
  1. Select
    and select a previously-created rulestack which to apply the certificate.
  2. Select
    Security Profiles
    Egress Decryption
    The CA value under the Basic Constraints in the CA certificate must be set to
  3. Select a certificate.
    • Select an
      Untrust Certificate
    • Select an
      Trust Certificate
    Create a certificate if you have not done so already.
    The certificate and private key are stored in the AWS Secrets Manager (ASM), and the workload uses these information to decrypt the traffic.
    The certificate must be a CA certificate. Set the CA value in the Basic Constraints must be set to TRUE. The following is an example private CA certificate.
    Certificate: Data: Version: 3 (0x2) Serial Number: 4121 (0x1019) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=Example Company Root CA, OU=Corp, Validity Not Before: Feb 26 20:27:56 2018 GMT Not After : Feb 24 20:27:56 2028 GMT Subject: C=US, ST=WA, L=Seattle, O=Examples Company Subordinate CA, OU=Corporate Office, Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c0: ... a3:4a:51 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: F8:84:EE:37:21:F2:5E:0B:6C:40:C2:9D:C6:FE:7E:49:53:67:34:D9 X509v3 Authority Key Identifier: keyid:0D:CE:76:F2:E3:3B:93:2D:36:05:41:41:16:36:C8:82:BC:CB:F8:A0 X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, CRL Sign Signature Algorithm: sha256WithRSAEncryption 6:bb:94: ... 80:d8
    If the certificate is a chain, use the leaf certificate and key. Import the Root CA certificate and Intermediate CA certificate to the client Truststore. Following is an example of how to import Root CA certificate and Intermediate CA certificate to the Truststore in Ubuntu OS.
    $ sudo apt-get install -y ca-certificates $ sudo cp root-ca.crt /usr/local/share/ca-certificates $ sudo cp intermediate-ca.crt /usr/local/share/ca-certificates $ sudo update-ca-certificates
    If you are using an End-Entity certificate for decrypting traffic, only the End Entity Cert with public and private key must be stored in the ASM.
    PKCS8 is the supported certificate format.
    Outbound Trust decryption does not support self-signed certificates.
  4. Click

Recommended For You