SSL Inbound Inspection enables the firewall to see potential
threats in SSL/TLS traffic destined for your internal servers and
apply security protections.
Use SSL Inbound Inspection to
decrypt and inspect inbound SSL traffic destined for a network server
(you can perform SSL Inbound Inspection for any server if you load
the server certificate onto the firewall). With an SSL Inbound Inspection
Decryption policy enabled, the firewall decrypts all SSL traffic
identified by the policy to clear text traffic and inspects it.
The firewall blocks, restricts, or allows the traffic based on the
Decryption profile attached to the policy and the Security policy
that applies to the traffic, including any configured Antivirus,
Vulnerability Protection, Anti-Spyware, URL Filtering, and File
Blocking profiles. As a best practice, enable the firewall to forward decrypted SSL traffic for WildFire analysis and
Configuring SSL Inbound Inspection includes:
Installing the targeted server certificate on the firewall.
Creating an SSL Inbound Inspection Decryption policy rule.
Applying a Decryption profile to the policy rule.
you configure SSL Inbound Inspection, the proxied traffic does not
support DSCP code points or QoS.
Ensure that the appropriate interfaces are configured
as either Tap, Virtual Wire, Layer 2, or Layer 3 interfaces.
You cannot use a Tap mode interface for SSL Inbound
Inspection if the negotiated ciphers include PFS key exchange algorithms
(DHE and ECDHE).
View configured interfaces on the
column displays if an interface is configured to
interface. You can select an interface
to modify its configuration, including the interface type.
Ensure that the targeted server certificate is installed
on the firewall.
On the web interface, select
certificates installed on the firewall.
We recommend uploading a certificate chain (a
single file) to the firewall if your end-entity (leaf) certificate
is signed by one or more intermediate certificates
web server supports TLS 1.2 and PFS key exchange algorithms. Uploading
the chain avoids client-side server certificate authentication issues.
You should arrange the certificates in the file as follows:
Intermediate certificates (in issuing order)
) Root certificate
can upload the server certificate and private key alone to the firewall
if your web server supports
TLS 1.2 and the RSA key
the server’s certificate chain (if
the leaf certificate is signed by intermediate certificates) is
installed on the server. SSL Inbound Inspection discusses
each case in more detail.
To import the targeted server
certificate onto the firewall:
Although Decryption profiles are
optional, it is best to include a Decryption profile with each Decryption
policy rule to prevent weak, vulnerable protocols and algorithms
from allowing questionable traffic on your network.
modify an existing rule, and define the traffic to be decrypted.
for the internal
server that is the destination of the inbound SSL traffic.
Optional but a best practice
) Configure or select
to block and
control various aspects of the decrypted traffic (for example, create
a Decryption profile to terminate sessions with unsupported algorithms
and unsupported cipher suites).
you configure the SSL Protocol Settings Decryption
Profile for SSL Inbound Inspection traffic, create separate
profiles for servers with different security capabilities. For example,
if one set of servers supports only RSA, the SSL Protocol Settings
only need to support RSA. However, the SSL Protocol Settings for
servers that support PFS should support PFS. Configure SSL Protocol
Settings for the highest level of security that the server supports,
but check performance to ensure that the firewall resources can
handle the higher processing load that higher security protocols
and algorithms require.