Set Up Inbound Decryption on Cloud NGFW for Azure
Table of Contents
Set Up Inbound Decryption on Cloud NGFW for Azure
Setup inbound decryption.
Cloud NGFW uses SSL Inbound Decryption to inspect and
decrypt inbound SSL/TLS traffic from a client to a targeted network server (any
server you have the certificate for and can import onto the firewall) and block
suspicious sessions. The firewall acts as a proxy between the external client and
the internal server and generates a new session key for each secure session. The
firewall creates a secure session between the client and the firewall and another
secure session between the firewall and the server to decrypt and inspect the
traffic. However, Cloud NGFW keeps your traffic packet headers and payload intact,
providing complete visibility of the source’s identity to your applications in your
VNets.
You must concatenate the web certificate and private key as a single
pem
or pfx
file and upload it to the Azure Key Vault
to perform SSL
inbound inspection. The firewall validates that the certificate sent by the targeted
server during the SSL/TLS handshake matches a certificate in your decryption policy
rule. If there is a match, the firewall forwards the server's certificate to the
client requesting server access and establishes a secure connection.You must not upload the certificate and key separately to the Azure key
vault.
- SelectRulestacksand select a previously-created rulestack which to apply the certificate.
- SelectRules, thenCreatea newSecurity Rulefor decryption.
- Provide the following details underGeneral.
- Name—Name of the rule.
- Description—A description for the rule.
- Priority—A unique priority for the rule.
- Enabled—Enable the field to associate the rulestack with the rule. This field is enabled by default.
- Define matching criteria for theSourceandDestinationIP address fields.
- ConfigureGranular Controls.
- Specify theApplication Match Criteriayou want the rule to allow or block.You can create TLS decryption rules withApplications—AnyorSSL—Matchonly.
- Specify aURL Categoryas match criteria for the rule.
- Step 6 Specify theSpecify theProtocol and Portsyou want the rule to allow or block.A
- Allow—Allow traffic.
- Drop—Block traffic and enforce the defaultdrop actiondefined for the application that is being denied.
- Reset Server—Sends the TCP reset to the server-side device.
- Reset Both—Sends a TCP reset to both client and server-side devices.
- UnderTLS Decryption, selectInboundand select anInbound Inspection Certificate.
- Create a certificateif you have not done so already. The Azure Resource Name (ARN) of the secret must be used in the certificate ARN when creating the certificate object.
- PKCS8 is the supported certificate format.
- Inbound decryption supports self-signed and root CA signed certificates and does not support chained certificates.
- The decryption profile for TLS decryption is set to Best Practice Security Policy. See decrypt traffic for full visibility and threat inspection for more information.
- SelectLoggingto enable logging.
- ClickValidate.
- ClickConfig ActionsDeploy ConfigurationCommitto save the rule to the running configuration of the firewall.