Set Up Outbound Decryption on Cloud NGFW for AWS

With Outbound decryption, Cloud NGFW behaves like an SSL Forward Proxy, and uses its associated certificates to establish itself as a trusted third party (man-in-the-middle) for the client-server session. However, Cloud NGFW keeps your traffic packet headers and payload intact, providing complete visibility of the source’s identity to your destinations.
Outbound decryption uses two certificate objects - Trust and Untrust. The NGFW presents the trust certificateto clients during SSL decryption if the client is attempting to connect to a server that has a certificate signed by a trusted certificate authority (CA). Alternatively. the NGFW presents the untrust certificate to the client attempting to connect to a server that has a certificate signed by a CA that the NGFW does not trust.
You can configure the NGFW resource to decrypt the SSL traffic leaving your VPC or subnet. You can then enforce App-ID and security settings on the plaintext traffic, including Antivirus, Vulnerability, Anti-Spyware, URL Filtering, and File-Blocking profiles. After decrypting and inspecting traffic, the firewall re-encrypts the plaintext traffic as it exits the firewall to ensure privacy and security.
This procedure only defines the certificates that the firewall uses for Outbound TLS Decryption. You must enable Outbound TLS Decryption during rule creation.
  1. Select
    and select a previously-created rulestack which to apply the certificate.
  2. Select
    Security Profiles
    Egress Decryption
  3. Select an
    Untrust Certificate
  4. Select an
    Trust Certificate
  5. Click

Recommended For You