SSL Inspection

On the SSL Inspection page you can enable and configure SSL inspection. When you turn on this setting, you allow different Software Blades that support SSL inspection to inspect traffic that is encrypted by the Secure Sockets Layer (SSL) protocol.

Note - This feature is not supported in 600 and 1100 appliances.

This page is available from the Gateways and Plans tabs.

To configure the SSL Inspection Software Blade settings of a plan:

  1. Go to Home > Plans.

  2. Click the plan name.

    The Edit page opens.

  3. Click Security Software Blades > SSL Inspection.

  4. Select Manage in SMP.

  5. For Blade Control: SSL Inspection, select On.

To override the settings set by a plan:

  1. Go to Home > Gateways.

  2. Click the gateway name.

    The Edit page opens.

  3. Click Security Software Blades > SSL Inspection.

  4. If the SSL Inspection settings are locked, click Unlock from plan.

  5. To stop remote management of the blade, clear Manage in SMP.

  6. Click Save.

To allow the gateway to inspect the secured connections, all hosts behind the gateway must install the gateway CA certificate. Do this from the gateway WebUI, or connect from an internal or wireless network to one of these:

  • http://my.filewall/ica

  • https://<IP Address of Appliance>/ica

Software Blades that support SSL traffic inspection:

  • Application & URL Filtering

  • IPS

  • Anti-Virus

  • Anti-Bot

  • Threat Emulation

SSL Inspection Bypass Policy

You can select categories that are bypassed for all possible traffic regardless of its source and destination.

To set the SSL inspection bypass policy:

  • Wireless networks to bypass - Select or clear which wireless networks to bypass. Untrusted networks are selected by default.

    Note - Wireless networks must be assigned to Separate Network, not switch or bridge.

  • Categories - Select or clear the privacy related categories that are not inspected. All categories except for Media Streams are selected by default.

  • Tracking - Select to enable logs to indicate that the SSL inspection policy decision was inspect or bypass.

    Note - These logs are generated in addition to the logs generated by the Software Blades.

To add other categories:

Note - The Bypass other categories checkbox is selected by default. To know on which versions support other categories and sites, see sk121214.

  1. Click other categories.

    The SSL Inspection Bypass Other window opens.

  2. Select the desired items.

  3. Click Apply.

To bypass custom sites:

Note - This feature is supported for appliances with version R80.20.35 and higher. For appliances with earlier versions, custom sites are supported only when the blade is not managed by SMP.

  1. Select the checkbox for Bypass custom sites.

    The Custom Sites window opens.

  2. To add a custom site, click New.

    The Add Custom Site window opens.

    1. Enter the URL.

    2. Enter the Name. If the URL is a Regular Expression, select the checkbox.

    3. Click Finish.

  3. To edit a custom site, click the edit icon.

    The Edit Custom Site window opens.

    1. Make your changes.

    2. Click Finish.

  4. To delete a site, select the checkbox next to the site name and click Delete.

HTTPS Categorization

As an alternative to SSL inspection, you can enable HTTPS categorization. HTTPS categorization allows filtering specified HTTPS URLs and applications without activating SSL traffic inspection.

For more information, see the HTTPS Inspection video on the Small Business Security video channel.

To enable HTTPS categorization:

  1. Select HTTPS Categorization.

    Note - When you enable HTTPS categorization, the SSL options are not available.

  2. Click Configure.

    The Access Policy > Firewall Blade Control page opens.

  3. Configure the settings for URL filtering.

    Note - HTTPS categorization only applies when the URL Filtering blade is turned on.

To disable SSL inspection and HTTPS categorization:

Select Off.