SSL Inspection Policy

SSL Inspection

The Access Policy > SSL Inspection Policy page lets you enable and configure SSL inspection. When you turn on this setting, you allow different Software Blades that support SSL inspection to inspect traffic that is encrypted by the Secure Sockets Layer (SSL) protocol. To allow the gateway to inspect the secured connections, all hosts behind the gateway must install the gateway CA certificate.

Software Blades that support SSL traffic inspection:

  • Application & URL Filtering

  • IPS

  • Anti-Virus

  • Anti-Bot

  • Threat Emulation

Deploying SSL Inspection

To deploy SSL inspection:

  1. Select SSL Traffic Inspection.

  2. Click Download CA Certificate to download the gateway’s internal CA certificate.

    Note - The certificate is available for all users on the gateway. You do not need admin credentials. If you do not have admin credentials, connect from an internal or wireless network to http://my.firewall/ica or https://<IP_Address_of_Appliance>/ica.

    You must install this certificate on every client behind the gateway.

To install the certificate:

  1. Manually copy the certificate file to your PC.

  2. In the Windows PC, click the file and follow the wizard instructions to add the certificate to the Trusted Root Certification Authorities repository.

    Note - This is not the default repository in the Certificate Import Wizard.

    Certificate installation varies according to the OS. To learn how to install the certificate in your machine, see your OS vendor instructions.

SSL inspection uses the existing internal CA by default. To use your own certificate, you must replace the internal CA.

To replace the internal CA:

  1. Go to Certificates > Internal Certificate.

  2. Click Replace Internal CA.

    The Upload a P12 Certificate window opens.

  3. Click Browse to select the certificate file.

  4. Enter the Certificate name and Password.

  5. Normally, the device suggests its own host name (when DDNS is configured) or its external IP address. If you have multiple Internet connections configured, in load sharing mode, you can manually enter an accessible IP address for this appliance. This is used by remote sites to access the internal CA and check for certificate revocation.

  6. Click Apply.

SSL Inspection Bypass Policy

You can select categories that are bypassed for all possible traffic regardless of its source and destination. To configure more advanced exceptions, go to the SSL Inspection Exceptions page.

To set the SSL inspection bypass policy:

  • Wireless networks to bypass - Select or clear which wireless networks to bypass. Untrusted networks are selected by default.

    Note - Wireless networks must be assigned to Separate Network, not switch or bridge.

  • Categories - Select or clear the privacy related categories that are not inspected. All categories except for Media Streams are selected by default.

  • Tracking - Select to enable logs to indicate that the SSL inspection policy decision was inspect or bypass.

    Note - These logs are generated in addition to the logs generated by the Software Blades.

To add other categories:

Note - The Bypass checkbox is selected by default.

  1. Click other categories and sites.

    The SSL Inspection Bypass Other window opens.

  2. Select the desired items.

  3. Optional - Click New to add URLs or custom applications.

  4. Click Apply.

HTTPS Categorization

As an alternative to SSL inspection, you can enable HTTPS categorization. HTTPS categorization allows filtering specified HTTPS URLs and applications without activating SSL traffic inspection.

For more information, see the HTTPS Inspection video on the Small Business Security video channel.

To enable HTTPS categorization:

  1. Select HTTPS Categorization.

    Note - When you enable HTTPS categorization, the SSL options are not available.

  2. Click Configure.

    The Access Policy > Firewall Blade Control page opens.

  3. Configure the settings for URL filtering.

    Note - HTTPS categorization only applies when the URL Filtering blade is turned on.

To disable SSL inspection and HTTPS categorization:

Select Off.

IMAPS

Internet Message Access Protocol (IMAP) is an Internet standard protocol used by email clients to retrieve email messages from a mail server over a TCP/IP connection. IMAPS refers to IMAP over SSL.

SSL traffic inspection must be activated to scan HTTP and IMAP encrypted traffic.

To configure SSL Inspection to inspect the IMAPS protocol, click the checkbox.