It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Create a TLS Inspection Policy for Inbound TLS Inspection

  • Last updated on

For inbound TLS Inspection, the firewall uses the same TLS certificate that is installed on the internal server.

tls_inspection_in.png

With Barracuda CloudGen Firewall version 8.3.0, a new feature 'Policy Profiles' has been implemented. Policy profiles are centrally managed, (pre-)defined rules for handling network traffic and applications. Instead of configuring inbound TLS Inspection, you can also switch from the application ruleset to the Policy Profiles view and configure TLS Inspection policies. For more information, see Policy Profiles and TLS Inspection Policies.

Before You Begin

  • Create or purchase the server certificate to be used for TLS Inspection.

Step 1. Upload the Certificate to the Certificate Store

Upload the server certificate used to terminate incoming TLS connections on the firewall.

  1. Go to the Certificate Store. On the CloudGen Firewall, the certificate store is located under Advanced Configuration, on the Control Center in the Global Settings, Range Settings, or Cluster Settings.
  2. Click Lock.
  3. In the upper-left corner, click + and select Import new Certificate Store Entry from File or Import new Certificate Store Entry from PKCS12.
    cert_import01.png
  4. Select the certificate file and click Open.
  5. (optional) Enter the Password and click OK.
  6. Enter a Name and click OK.
  7. Click Send Changes and Activate.

ssl_policy02.png

Step 2. Create a TLS Inspection Policy Object  

Create an SSL Inspection policy object for inbound TLS Inspection.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
  2. Click Lock.
  3. In the left menu, click TLS Inspection
  4. Right-click the table and select  New TLS Inspection Policy. The  Edit TLS Inspection window opens.    
  5. Enter the Name
  6. From the TLS Policy Type drop-down list, select Inbound TLS Inspection
    inbound_TLS_policy_webserver.png
  7. From the Inbound TLS Inspection Certificate drop-down list, select the server certificate you uploaded to the certificate store in Step 1.
    inbound_TLS_webserver_certificate.png
  8. (optional) Configure Cryptographic Attributes:
    • Minimum TLS Version – Select the minimum TLS version.

      Since most servers currently support only TLS version 1.2, do not set this parameter to a higher value. Setting the minimum TLS version to 1.3 enforces TLS 1.3, which can cause connections to fail.

    • Cipher Set –  Select a preset cipher set, or click Configure to customize the cipher set.
  9. (optional) Click Configure to customize cipher set and/or click Show Cipher String to view a list of support ciphers of the set.
    sslPolicy06.png
  10. Click OK
  11. Click Send Changes and Activate

Next Steps

Configure outbound TLS Inspection. For more information, see How to Configure Outbound TLS Inspection.