Active destination server certificate probing
Use the option Active destination server certificate probing to enable active fetching of server certificates for TLS connections.
The Secure SD-WAN engine now supports decrypting TLS 1.3 connections, prior to this version, the TLS 1.3 connections were downgraded to TLS 1.2 if decrypting was needed.
The Secure SD-WAN engine now supports active fetching of destination server certificates when inspecting TLS traffic, when the option Active destination server certificate probing is enabled on SMC.
If a client tries to open a TLS connection through the Secure SD-WAN engine to a destination server (“server endpoint”) the engine first checks whether it already has a cached copy of the server certificate available.
If the server endpoint is already known to the Secure SD-WAN engine it uses a cached copy of the server certificate. If the server endpoint is not yet known to the Secure SD-WAN engine, it opens an additional TLS connection to the destination server for fetching the server certificate.
Also, to be able to fetch the server certificate for a TLS connection through an inline interface pair the Secure SD-WAN engine must have an additional interface with a valid route to the server.
Depending on the currently active policy the client connection may be blocked until the Secure SD-WAN engine has finished processing the server certificate.
If the Secure SD-WAN engine was successful in obtaining the server certificate it will cache the server certificate along with the server endpoint information to be used for future TLS connections to the same server endpoint. The Server certificate cache timeout value determines how long the engine may rely on the cached certificate before it should be discarded.
The engine will also cache server certificates obtained from the server response during TLS Handshake processing for each unique server endpoint.
The major benefit of this is that when not decrypting, the Secure SD-WAN engine may not be able to observe the server certificate and needs to rely on an unreliable TLS SNI (“Server Name Indication”) and server address information for identifying the applications in the TLS connection. With support for active destination server certificate probing, reliability is improved by automatically fetching the server certificate for each new TLS connection.