It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall X

This Product is End-of-Life and End-Of-Support

End-Of-Life and End-Of-Support on December 1st, 2020: All Barracuda Firewall X-Series sales will cease; neither new sales nor any renewals will be available. If you currently hold a maintenance and support contract, you will continue to receive our award-winning support and services until your contract expires. Please see the End-Of-Life definition as described in the End of Support and End of Life Information.

How to Configure SSL Inspection

  • Last updated on

Most applications encrypt outgoing connections with SSL or TLS. SSL Inspection transparently unencrypts and re-encrypts HTTPS traffic to allow Application Control features (such as the Virus Scanner, IPS, URL Filter, or Safe Search) to inspect the content of SSL-encrypted connections that would otherwise not be visible to the Firewall service. Before configuring SSL Inspection, you must install the SSL Inspection security certificate (root certificate). The root certificate is used to intercept, proxy, and inspect the HTTP/S session. The Barracuda NextGen Firewall X-Series can then inspect the HTTPS connections by presenting the client with a SSL certificate that is derived from this root CA.

Do not use SSL Inspection in combination with Barracuda Web Security Service or forward proxy.

Before You Begin

Step 1. Enable SSL Inspection

Enable SSL Inspection and prepare the root certificate for client download. 

  1. Go to FIREWALL > Settings.
  2. In the SSL Inspection section, select the Enable SSL Inspection checkbox.
  3. Select the uploaded root certificate from the Select Certificate dropdown list.
    ssl_insp_01.png
  4. Select Enable Browser Certificate Download.

  5. Select Allow SSLv3 if you must support clients that use SSLv3 only.
  6. In the Domain Exemptions section, add domains that should be excluded from SSL Inspection:
    • Enter the domain name and click +.
     
  7. In the URL Category Exemptions section, add website categories that should not be SSL-inspected.

  8. To automatically check for revoked CA certificates:
    • Click Show Advanced Options.

    • Select the Enable CRL checks checkbox.
    • In the CRL validation fail behavior section, select the action to be taken if the CRL check fails.

    • In the Additional Certificates section, add additional trusted CA certificates. These certificates are deemed valid even if the CRL fails.

  9. Click Save.

Step 2. Install the SSL Inspection Root Certificate on all Clients

Download and install the security certificate on all clients. To prevent browser warnings and allow transparent SSL Inspection, install the certificate into the operating system's or web browser's certificate store.

On every client computer,

  1. Go to:
    https://IP_OF_YOUR_BARRACUDA_FIREWALL:443/cgi-mod/cert_dl.cgi?get_ssl_insp_cert=cer

    OR
      https://IP_OF_YOUR_BARRACUDA_FIREWALL:443/cgi-mod/cert_dl.cgi?get_ssl_insp_cert=pem 
  2. Download the certificate to the client computer.
    cert_01.png
  3. Double-click the certificate to import it.
    cert_02.png
  4. Click Install Certificate.
  5. Select Local Machine as the certificate Store Location, and click Next.
    cert_03.png 
  6. Select the path where to save the certificate (recommended: default), and click Next.
    cert_04.png 
  7. Check the installation settings and click Finish.

Step 3. Enable SSL Inspection in Access Rules

SSL Inspection can now be enabled on a per-access rule basis. To use SSL Inspection, you must also enable Application Control. For more information, see Firewall Rules.

ssl_rule_01.png