Enable SSL/TLS Handshake Inspection

Enable the firewall to inspect decrypted SSL/TLS traffic for threats during SSL/TLS handshakes.
SSL/TLS handshake inspection closes a gap in threat detection for SSL/TLS web traffic marked for decryption. When enabled, the Content and Threat Detection (CTD) engine of the firewall inspects HTTPS traffic for potential threats during the SSL/TLS handshake. The firewall uses data in the handshake to identify the traffic and enforce applicable Security policy rules. Examining the handshake improves network security and optimizes our URL Filtering solution by preventing threats and enforcing Security policy actions on web traffic as early as possible.
Specifically, the firewall scans the Client Hello message for the Server Name Indication (SNI) field, an extension to the SSL/TLS protocol that contains the hostname of a requested website. From the hostname, the firewall can derive the URL category and server destination of the traffic. Then, it evaluates the URL category against the URL Filtering profiles of matching Security policy rules to determine which actions to enforce. If the firewall detects a threat, such as a malicious web server in the SNI field, or policy dictates that the website be blocked, it will terminate the handshake and end the web session immediately. If no threat is detected and the traffic is allowed per policy, the client and server can complete the SSL/TLS handshake and exchange application data through the secure connection.
URL Filtering response pages do not display for sites blocked by the firewall during SSL/TLS handshake inspections. After detecting traffic from blocked categories, the firewall resets the HTTPS connection, ending the handshake and preventing user notification by response page. Instead, the browser displays a standard connection error message.
Details of successful SSL/TLS handshakes and sessions will be in the Traffic and Decryption logs. If the firewall blocks web sessions during the SSL/TLS handshake, it will not generate Decryption logs. You can find details of failed sessions in the URL Filtering logs, however.
The following procedure details the requirements and steps needed to enable SSL/TLS handshake inspection:
  1. Select
    Device > Licenses
    to confirm that you have an active URL Filtering license.
  2. Verify that you decrypt SSL/TLS traffic through either SSL Forward Proxy or SSL Inbound Inspection.
  3. Enable inspection of SSL/TLS handshakes by CTD. By default, the option is disabled.
    1. Select
      Decryption Settings
      SSL Decryption Settings
    2. Select
      Send handshake messages to CTD for inspection
      Alternatively, you can use the
      set deviceconfig setting ssl-decrypt scan-handshake
      CLI command.
    3. Click
  4. Commit
    your configuration changes.

Recommended For You