Active destination server certificate probing

Use the option Active destination server certificate probing to enable active fetching of server certificates for TLS connections.

The NGFW engine now supports decrypting TLS 1.3 connections, prior to this version, the TLS 1.3 connections were downgraded to TLS 1.2 if decrypting was needed.

The NGFW engine now supports active fetching of destination server certificates when inspecting TLS traffic, when the option Active destination server certificate probing is enabled on SMC.

If a client tries to open a TLS connection through the NGFW engine to a destination server (“server endpoint”) the engine first checks whether it already has a cached copy of the server certificate available.

If the server endpoint is already known to the NGFW engine it uses a cached copy of the server certificate. If the server endpoint is not yet known to the NGFW engine, it opens an additional TLS connection to the destination server for fetching the server certificate.

Also, to be able to fetch the server certificate for a TLS connection through an inline interface pair the NGFW engine must have an additional interface with a valid route to the server.

Depending on the currently active policy the client connection may be blocked until the NGFW engine has finished processing the server certificate.

If the NGFW engine was successful in obtaining the server certificate it will cache the server certificate along with the server endpoint information to be used for future TLS connections to the same server endpoint. The Server certificate cache timeout value determines how long the engine may rely on the cached certificate before it should be discarded.

The engine will also cache server certificates obtained from the server response during TLS Handshake processing for each unique server endpoint.

The major benefit of this is that when not decrypting, the NGFW engine may not be able to observe the server certificate and needs to rely on an unreliable TLS SNI (“Server Name Indication”) and server address information for identifying the applications in the TLS connection. With support for active destination server certificate probing, reliability is improved by automatically fetching the server certificate for each new TLS connection.

Note: The server endpoints and their respective cached certificates are not shared between different virtual NGFW engines, logical interfaces, or between the master NGFW engine and virtual NGFW engines.