Configure SSL Inbound Inspection
SSL Inbound Inspection decryption enables the firewall to see potential threats in inbound encrypted traffic destined for your servers and apply security protections against those threats.
Use SSL Inbound Inspection to decrypt and inspect inbound SSL traffic destined for a network server (you can perform SSL Inbound Inspection for any server if you load the server certificate onto the firewall). With an SSL Inbound Inspection Decryption policy enabled, the firewall decrypts all SSL traffic identified by the policy to clear text traffic and inspects it. The firewall blocks, restricts, or allows the traffic based on the Decryption profile attached to the policy and the Security policy that applies to the traffic, including and any configured Antivirus, Vulnerability Protection, Anti-Spyware, URL-Filtering, and File Blocking profiles. As a best practice, enable the firewall to forward decrypted SSL traffic for WildFire analysis and signature generation.
Configuring SSL Inbound Inspection includes installing the targeted server certificate on the firewall, creating an SSL Inbound Inspection Decryption policy, and applying a Decryption profile to the policy.
- Ensure that the appropriate interfaces are configured
as either Tap, Virtual Wire, Layer 2, or Layer 3 interfaces.You cannot use a Tap mode interface for SSL Inbound Inspection if the negotiated cyphers include PFS key-exchange algorithms (DHE and ECDHE).View configured interfaces on the NetworkInterfacesEthernet tab. The Interface Type column displays if an interface is configured to be a Virtual Wire or Layer 2, or Layer 3 interface. You can select an interface to modify its configuration, including the interface type.
- Ensure that the targeted server certificate is installed
on the firewall.On the web interface, select DeviceCertificate ManagementCertificatesDevice Certificates to view device certificates installed on the firewall.To import the targeted server certificate onto the firewall:
- On the Device Certificates tab, select Import.
- Enter a descriptive Certificate Name.
- Browse for and select the targeted server Certificate File.
- Click OK.
a Decryption Policy Rule to define traffic for the firewall
to decrypt and Create
a Decryption Profile to apply SSL controls to the traffic.Although Decryption profiles are optional, it is a best practice to include a Decryption profile with each Decryption policy rule to prevent weak, vulnerable protocols and algorithms from allowing questionable traffic on your network.
- Select PoliciesDecryption, Add or modify an existing rule, and define traffic to be decrypted.
- Select Options and:
- Set the rule Action to Decrypt matching traffic.
- Set the rule Type to SSL Inbound Inspection.
- Select the Certificate for the internal server that is the destination of the inbound SSL traffic.
- (Optional but a best practice) Configure or select an existing Decryption Profile to block and control various aspects of the decrypted traffic (for example, create a Decryption profile to terminate sessions with unsupported algorithms and unsupported cipher suites).When you configure the SSL Protocol Settings Decryption Profile for SSL Inbound Inspection traffic, create separate profiles for servers with different security capabilities. For example, if one set of servers supports only RSA, the SSL Protocol Settings only need to support RSA. However, the SSL Protocol Settings for servers that support PFS should support PFS. Configure SSL Protocol Settings for the highest level of security that the server supports, but check performance to ensure that the firewall resources can handle the higher processing load that higher security protocols and algorithms require.
- Click OK to save.
- Enable the firewall to forward decrypted SSL traffic for WildFire analysis.
- Commit the configuration.
- Choose your next step:
Learn about outbound and inbound SSL decryption, SSH Proxy decryption, Decryption Mirroring, and the keys and certificates that make decryption possible. ...
Create a Decryption Profile
Attach Decryption profiles to Decryption policy rules to control the protocol versions, algorithms, verification checks, and session checks the firewall accepts for the traffic defined ...
Decrypt traffic to reveal encrypted threats so the firewall can protect your network against them. ...
SSL Inbound Inspection
SSL Inbound Inspection decryption decrypts inbound traffic so the firewall can protect against threats in the encrypted traffic destined for your servers. ...
Create a Decryption Policy Rule
Decryption policy rules granularly define the traffic to decrypt or not to decrypt based on the source, destination, service (application port), and URL Category. ...
You can’t protect yourself against threats you can’t see. Decrypt traffic to reveal encrypted threats so the firewall can protect your network against them. ...
Create User-to-Data-Center Decryption Policy Rules
Create rules that decrypt user traffic flowing to the data center so you can inspect the traffic and protect your most valuable assets against malware ...
Configure SSH Proxy
SSH Proxy decryption requires no certificates and decrypts inbound and outbound SSH sessions and ensures that attackers can’t use SSH to tunnel potentially malicious applications ...
Decrypt Traffic for Full Visibility and Threat Inspection
Decrypt Traffic for Full Visibility and Threat Inspection The best practice security policy dictates that you decrypt all traffic except sensitive categories, which include Health, ...