Activate TLS inspection on Secure SD-WAN Engines

Depending on the elements you select in the engine properties, you can activate client protection alone, server protection alone, or client and server protection together.

CAUTION:

Uploading TLS Credentials or a Client Protection Certificate Authority elements to the engine might enable decryption of TLS traffic that is not excluded from TLS inspection. The following configurations might enable decryption of TLS traffic:

  • Adding a Network Application that allows or requires the use of TLS to an Access rule
  • Selecting the Enforced option for Log Application Information in the Access rules
  • Enabling Deep Inspection in an Access rule if the Service cell contains a Network Application or a Service that does not include a Protocol Agent

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Click Secure SD-WAN Engines.
  3. Right-click an engine element, then select Edit <element type>.
  4. From the navigation pane on the left, select Add-Ons > TLS Inspection.
  5. (For client protection) From the Client Protection Certificate Authority drop-down list, select a Client Protection Certificate Authority element.
    • To select an existing element, click Select and select the element.
    • To create an element, click New.
  6. (For server protection) Click Add, then select one or more TLS Credentials elements and click Select.
  7. Click Save and Refresh to transfer the configuration changes and upload the certificates.