Use SSL Inbound Inspection to decrypt and inspect inbound SSL traffic destined for a network server (you can perform SSL Inbound Inspection for any server if you have the server certificate). With an SSL Inbound Inspection decryption policy enabled, all SSL traffic identified by the policy is decrypted to clear text traffic and inspected. The clear text traffic is blocked and restricted based on the decryption profile attached to the policy and any configured Antivirus, Vulnerability, Anti-Spyware, URL-Filtering and File Blocking profiles. You can also enable the firewall to forward decrypted SSL traffic for WildFire analysis and signature generation. Traffic is re-encrypted as it exits the firewall.
Configuring SSL Inbound Inspection includes installing the targeted server certificate on the firewall and creating an SSL Inbound Inspection decryption policy.
Configure SSL Inbound Inspection
Ensure that the appropriate interfaces are configured as either virtual wire, Layer 2, or Layer 3 interfaces. View configured interfaces on the Network > Interfaces > Ethernet tab. The Interface Type column displays if an interface is configured to be a Virtual Wire or Layer 2, or Layer 3 interface. You can select an interface to modify its configuration, including what type of interface it is.
Ensure that the targeted server certificate is installed on the firewall. On the web interface, select Device > Certificate Management > Certificates > Device Certificates to view certificates installed on the firewall. To import the targeted server certificate onto the firewall: On the Device Certificates tab, select Import. Enter a descriptive Certificate Name. Browse for and select the targeted server Certificate File. Click OK.
Create a Decryption Policy Rule to define traffic for the firewall to decrypt. Select Policies > Decryption, Add or modify an existing rule, and define traffic to be decrypted. Select Options and: Set the rule Action to Decrypt matching traffic. Set the rule Type to SSL Inbound Inspection. Select the Certificate for the internal server that is the destination of the inbound SSL traffic. (Optional) Select a Decryption Profile to block and control various aspects of the decrypted traffic (for example, Create a Decryption Profile to terminate sessions if system resources are not available to process decryption). Click OK to save.
Enable the firewall to forward decrypted SSL traffic for WildFire analysis. This option requires an active WildFire license and is a WildFire best practice.
Commit the configuration.
Choose your next step... Enable Users to Opt Out of SSL Decryption. Configure Decryption Exceptions to disable decryption for certain types of traffic.

Related Documentation