Enable the firewall to inspect decrypted SSL/TLS traffic
for threats during SSL/TLS handshakes.
SSL/TLS handshake inspection closes a gap
in threat detection for SSL/TLS web traffic marked for decryption.
When enabled, the Content and Threat Detection (CTD) engine of the
firewall inspects HTTPS traffic for potential threats during the
SSL/TLS handshake. The firewall uses data in the handshake to identify
the traffic and enforce applicable Security policy rules. Examining
the handshake improves network security and optimizes our URL Filtering
solution by preventing threats and enforcing Security policy actions
on web traffic as early as possible.
Specifically, the firewall
scans the Client Hello message for the Server Name Indication
(SNI) field, an extension to the SSL/TLS protocol that contains
the hostname of a requested website. From the hostname, the firewall
can derive the URL category and server destination of the traffic.
Then, it evaluates the URL category against the URL Filtering profiles
of matching Security policy rules to determine which actions to
enforce. If the firewall detects a threat, such as a malicious web
server in the SNI field, or policy dictates that the website be
blocked, it will terminate the handshake and end the web session
immediately. If no threat is detected and the traffic is allowed
per policy, the client and server can complete the SSL/TLS handshake
and exchange application data through the secure connection.
Filtering response pages do not display for sites blocked by the
firewall during SSL/TLS handshake inspections. After detecting traffic
from blocked categories, the firewall resets the HTTPS connection,
ending the handshake and preventing user notification by response
page. Instead, the browser displays a standard connection error
Details of successful SSL/TLS handshakes
and sessions will be in the Traffic and Decryption logs. If the firewall
blocks web sessions during the SSL/TLS handshake, it will not generate Decryption
logs. You can find details of failed sessions in the URL Filtering
The following procedure details
the requirements and steps needed to enable SSL/TLS handshake inspection: