Engine Editor > Add-Ons > TLS Inspection
Use this branch to activate TLS inspection. You can configure TLS inspection for client or server protection.
Note: These settings are not supported for Master NGFW Engines.
| Option | Definition |
|---|---|
| Client Protection Certificate Authority | Select the Client Protection Certificate Authority element to use for client protection. |
| TLS Credentials | Specifies the Server Protection Credentials elements that are used for server protection. Click Add to add an element to the list, or Remove to remove the selected element. |
| Check Certificate Revocation | When selected, the NGFW Engine uses CRL or OCSP to check whether certificates have been revoked. |
| Decrypt All Traffic | When selected, the NGFW Engine forces all traffic to be decrypted. When the checkbox is not selected, the NGFW Engine either decrypts or does not decrypt traffic according to the settings in TLS Match elements. |
| Cryptography Suite Set (TLS 1.2 and lower) |
Specifies the TLS Cryptography Suite Set element that defines which cryptographic algorithms are allowed for TLS traffic that is decrypted for TLS Client Protection. Click Select to select an element. Note: If you use TLS 1.3 with NGFW Engine version 6.11 or higher, the NGFW Engine decrypts all supported TLS 1.3 cryptographic algorithms.
|
| Do not decrypt destinations signed with these certificates | The NGFW Engine does not decrypt the TLS connection where the server certificate is signed by one of the issuer certificates listed in this field. |
| Active destination server certificate probing | When selected, it enables the NGFW Engine to fetch the server certificate over a separate TLS connection before establishing the original connection. |
| Server certificate cache timeout | The set value for this field determines how long the previously fetched certificates are to be retained. |