set ssl-inspection advanced-settings

In the R82.00.X releases, this command is available starting from the R82.00.00 version.

Description

Configure advanced settings for SSL Inspection.

Syntax

set ssl-inspection advanced-settings [ bypass-well-known-update-services {true | false} ] [ validate-crl <validate-crl> ] [ validate-cert-expiration {true | false} ] [ validate-unreachable-crl {true | false} ] [ track-validation-errors {none | alert | log} ] [ retrieve-intermediate-ca-certificate {true | false} ] [ log-empty-ssl-connections {true | false} ] [ additional-https-ports <additional-https-ports> ] [ validate-untrusted-certificates <validate-untrusted-certificates>]

Parameters

Parameter

Description

additional-https-ports

Configures additional HTTPS ports for SSL inspection (a comma separated list of ports or port ranges.

See IANA Service Name and Port Number Registry.

bypass-well-known-update-services

Controls whether to bypass (true) or not (false) the SSL Inspection of traffic to well known software update services.

log-empty-ssl-connections

Controls whether to log (true) or not (false) the connections that were terminated by the client before data was sent (which might indicate the client did not install CA certificate).

retrieve-intermediate-ca-certificate

Controls whether to validate (true) or not (false) all intermediate CA certificates in the certificate chain.

track-validation-errors

Configures how to track the SSL Inspection validation:

  • none - Do not track

  • log - Generate a regular log

  • alert - Generate an alert log

validate-cert-expiration

Controls whether to drop (true) or not (false) connections that present an expired certificate.

validate-crl

Controls whether to drop (true) or not (false) connections that present a revoked certificate.

validate-unreachable-crl

Controls whether to drop (true) or not (false) connections that present a certificate with an unreachable CRL.

validate-untrusted-certificates

Controls whether to drop (true) or not (false) connections that present an untrusted server certificate.

Example Command

set ssl-inspection advanced-settings bypass-well-known-update-services true validate-crl true validate-cert-expiration true validate-unreachable-crl true track-validation-errors none retrieve-intermediate-ca-certificate true log-empty-ssl-connections true additional-https-ports 8080-8090 validate-untrusted-certificates true