Configure SSL Inbound Inspection

SSL Inbound Inspection decryption enables the firewall to see potential threats in inbound encrypted traffic destined for your servers and apply security protections against those threats.
Use SSL Inbound Inspection to decrypt and inspect inbound SSL traffic destined for a network server (you can perform SSL Inbound Inspection for any server if you load the server certificate onto the firewall). With an SSL Inbound Inspection Decryption policy enabled, the firewall decrypts all SSL traffic identified by the policy to clear text traffic and inspects it. The firewall blocks, restricts, or allows the traffic based on the Decryption profile attached to the policy and the Security policy that applies to the traffic, including and any configured Antivirus, Vulnerability Protection, Anti-Spyware, URL-Filtering, and File Blocking profiles. As a best practice, enable the firewall to forward decrypted SSL traffic for WildFire analysis and signature generation.
Configuring SSL Inbound Inspection includes installing the targeted server certificate on the firewall, creating an SSL Inbound Inspection Decryption policy, and applying a Decryption profile to the policy.
SSL Inbound Inspection does not support Authentication Portal redirect. To use Authentication Portal redirect and decryption, you must use SSL Forward Proxy.
  1. Ensure that the appropriate interfaces are configured as either Tap, Virtual Wire, Layer 2, or Layer 3 interfaces.
    You cannot use a Tap mode interface for SSL inbound inspection if the negotiated cyphers include PFS key- exchange algorithms (DHE and ECDHE).
    View configured interfaces on the
    Network
    Interfaces
    Ethernet
    tab. The
    Interface Type
    column displays if an interface is configured to be a
    Virtual Wire
    or
    Layer 2
    , or
    Layer 3
    interface. You can select an interface to modify its configuration, including the interface type.
  2. Ensure that the targeted server certificate is installed on the firewall.
    On the web interface, select
    Device
    Certificate Management
    Certificates
    Device Certificates
    to view certificates installed on the firewall.
    To import the targeted server certificate onto the firewall:
    1. On the
      Device Certificates
      tab, select
      Import
      .
    2. Enter a descriptive
      Certificate Name
      .
    3. Browse for and select the targeted server
      Certificate File
      .
    4. Click
      OK
      .
  3. Create a Decryption Policy Rule to define traffic for the firewall to decrypt and Create a Decryption Profile to apply SSL controls to the traffic.
    Although Decryption profiles are optional, it is a best practice to include a Decryption profile with each Decryption policy rule to prevent weak, vulnerable protocols and algorithms from allowing questionable traffic on your network.
    1. Select
      Policies
      Decryption
      ,
      Add
      or modify an existing rule, and define traffic to be decrypted.
    2. Select
      Options
      and:
  4. Commit
    the configuration.
  5. Choose your next step...

Recommended For You