Limitations and considerations for using TLS inspection

Consider these limitations and other important information before configuring TLS inspection.

TLS inspection has the following limitations:

  • TLS inspection for client protection cannot be done for traffic picked up through Capture interfaces.
  • TLS inspection for server protection can be done for traffic picked up through both Capture interfaces and Inline interfaces.
    Note: Due to security features of the TLS protocol, TLS decryption for traffic picked up through Capture interfaces can only be done when RSA key exchange negotiation is used between the client and the server.
  • TLS inspection is not supported on Single IPS engines or on Single Layer 2 Firewalls if they are deployed alongside a Firewall Cluster that uses dispatch clustering.
  • Default Trusted Certificate Authority elements are automatically added to the SMC from dynamic update packages and cannot be edited or deleted.
  • TLS inspection is not supported on Master NGFW Engines.
Consider this important information before configuring TLS inspection:
  • Traffic that uses TLS might be protected by laws related to the privacy of communications. Decrypting and inspecting this traffic might be illegal in some jurisdictions.
  • When a certificate for client or server protection has been uploaded to the NGFW Engine, it is possible to unintentionally enable TLS decryption for all traffic in one of the following ways:
    • Adding a Network Application that allows or requires the use of TLS to an Access rule
    • Enabling the logging of Application information in the Access rules
    • Enabling Deep Inspection in an Access rule with the Service cell of the rule set to ANY
  • Strict TCP inspection mode is automatically applied to TCP connections when TLS Inspection is used.