End-of-Life (EoL)

Configure SSL Inbound Inspection

Use SSL Inbound Inspection to decrypt and inspect inbound SSL traffic destined for a network server (you can perform SSL Inbound Inspection for any server if you have the server certificate). With an SSL Inbound Inspection decryption policy enabled, all SSL traffic identified by the policy is decrypted to clear text traffic and inspected. The clear text traffic is blocked and restricted based on the decryption profile attached to the policy and any configured Antivirus, Vulnerability, Anti-Spyware, URL-Filtering and File Blocking profiles. You can also enable the firewall to forward decrypted SSL traffic for WildFire analysis and signature generation. Traffic is re-encrypted as it exits the firewall.
Configuring SSL Inbound Inspection includes installing the targeted server certificate on the firewall and creating an SSL Inbound Inspection decryption policy.
  1. Ensure that the appropriate interfaces are configured as either virtual wire, Layer 2, or Layer 3 interfaces.
    View configured interfaces on the
    Network
    Interfaces
    Ethernet
    tab. The
    Interface Type
    column displays if an interface is configured to be a
    Virtual Wire
    or
    Layer 2
    , or
    Layer 3
    interface. You can select an interface to modify its configuration, including what type of interface it is.
  2. Ensure that the targeted server certificate is installed on the firewall.
    On the web interface, select
    Device
    Certificate Management
    Certificates
    Device Certificates
    to view certificates installed on the firewall.
    To import the targeted server certificate onto the firewall:
    1. On the
      Device Certificates
      tab, select
      Import
      .
    2. Enter a descriptive
      Certificate Name
      .
    3. Browse for and select the targeted server
      Certificate File
      .
    4. Click
      OK
      .
  3. Create a Decryption Policy Rule to define traffic for the firewall to decrypt.
    1. Select
      Policies
      Decryption
      , Add or modify an existing rule, and define traffic to be decrypted.
    2. Select
      Options
      and:
      • Set the rule
        Action
        to
        Decrypt
        matching traffic.
      • Set the rule
        Type
        to
        SSL Inbound Inspection
        .
      • Select the
        Certificate
        for the internal server that is the destination of the inbound SSL traffic.
      • (Optional)
        Select a
        Decryption Profile
        to block and control various aspects of the decrypted traffic (for example, Create a Decryption Profile to terminate sessions if system resources are not available to process decryption).
    3. Click
      OK
      to save.
  4. This option requires an active WildFire license and is a WildFire best practice.
  5. Commit
    the configuration.
  6. Choose your next step...

Recommended For You