Apply TLS inspection to traffic

Use the default or custom HTTPS Service element in Access rules to define which traffic is decrypted and inspected.

CAUTION:

Uploading TLS Credentials or a Client Protection Certificate Authority elements to the engine might enable decryption of TLS traffic that is not excluded from TLS inspection. The following configurations might enable decryption of TLS traffic:

  • Adding a Network Application that allows or requires the use of TLS to an Access rule
  • Selecting the Enforced option for Log Application Information in the Access rules
  • Enabling Deep Inspection in an Access rule if the Service cell contains a Network Application or a Service that does not include a Protocol Agent

To select specific traffic for decryption and inspection, you create Access rules that use a custom HTTPS Service or the default HTTPS (with decryption) Service element. To enable the decryption and inspection of all TLS traffic, you enable Deep Inspection in an Access rule with the Service cell of the rule set to ANY.

You must enable Deep Inspection in the Action options of the Engine Access rules to enable TLS inspection. Deep Inspection is enabled by default in the IPS, Layer 2 Engine, and Layer 2 Interface Access rules. Traffic that matches the Access rules for TLS inspection is decrypted and matched against HTTP Situations in the Inspection rules in the same way as unencrypted HTTP traffic. Any traffic that is allowed to continue by the Inspection Policy is re-encrypted and sent to its destination.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. (Client Protection) Add a rule with the following properties to select traffic from clients in the internal network for inspection.
    Table 1. Access rules for client protection
    Source Destination Service Action
    The elements that represent clients in your internal network or ANY. The elements that represent the HTTPS servers to which internal clients connect, or ANY. Your custom HTTPS Service, the default HTTPS (with decryption) Service, or set to ANY.

    Allow

    Deep Inspection selected in the Action options.

  2. (Server Protection) Add a rule with the following properties to select traffic to internal servers for inspection.
    Table 2. Access rules for server protection
    Source Destination Service Action
    The elements that represent the clients that connect to your HTTPS server, or ANY. The elements that represent your internal HTTPS servers. Your custom HTTPS Service, the default HTTPS (with decryption) Service, or set to ANY.

    Allow

    Deep Inspection selected in the Action options.

  3. Save and install the policy to start using the new configuration.