It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure Inbound TLS Inspection

  • Last updated on

Inbound TLS Inspection allows the firewall to decrypt and secure inbound TLS connections to servers or services behind the firewall. The firewall uses the server's TLS certificate to terminate the connection. This allows the firewall to define the allowed cipher sets and minimum TLS version used for the connection. The traffic is then scanned, and the configured policies are applied. The firewall then creates a TLS connection to the server and forwards the traffic to its destination.

With Barracuda CloudGen Firewall version 8.3.0, a new feature 'Policy Profiles' has been implemented. Policy profiles are centrally managed, (pre-)defined rules for handling network traffic and applications. Instead of configuring inbound TLS Inspection, you can also switch from the application ruleset to the Policy Profiles view and configure TLS Inspection policies. For more information, see Policy Profiles and TLS Inspection Policies.

tls_inspection_in.png

Before You Begin

Create a TLS Inspection policy for inbound TLS Inspection. For more information, see How to Create a TLS Inspection Policy for Inbound TLS Inspection.

Step 1. Enable TLS Inspection

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Security Policy.
  2. Click Lock.
  3. Expand the Enable TLS Inspection drop-down list and enable TLS Inspection.
    ssl_auto.png

    When set to Auto, the CloudGen Firewall will check for certificates and automatically enable TLS Inspection as soon as a certificate is detected.

  4. Click Send Changes and Activate.

Step 2. Create Access Rule with Inbound TLS Inspection

Enable TLS Inspection on the Dst NAT access rule forwarding traffic to the internal server.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
  2. Click Lock.
  3. Either click the plus icon (+) in the top right of the ruleset or right-click the ruleset and select New > Rule.
  4. Select Dst NAT as the action.
  5. Enter a Name for the rule.
  6. Specify the following settings that must be matched by the traffic to be handled by the access rule:
    • Source – Select Internet
    • Destination – Select the network object containing the external IP address of the firewall.
    • Service – Select the service(s) for which inbound TLS inspection should be used. For example, select SMTP.

    • Target List – Enter the internal IP address(es) of the server, or select a network object containing the web server IP addresses. For more information, see How to Create a Destination NAT Access Rule.

    • Connection Method – Select Original Source IP.

     inbound_TLS_inspection_dst_NAT_example.png 
  7. From the IPS Policy drop-down list, select the IPS policy.
  8. Click the Application Policy link and select:

    • Application Control – Required.
    • TLS Inspection – Required. 
    • Virus Scan – Optional.
    • ATP – Optional. 
    • File Content Scan – Optional.
    app_control_TLS_inspection_activated.png
  9. From the TLS Inspection Policy drop-down list, select a TLS Inspection policy for inbound inspection. For more information, see How to Create a TLS Inspection Policy for Inbound TLS Inspection.
    inbound_TLS_inspection_policies.png
  10. Click OK.
  11. Click Send Changes and Activate.

Incoming TLS connections are now terminated on the firewall before being forwarded to the internal server.

Monitoring and Troubleshooting

TLS Inspection error messages are written in the Firewall/SSL.log file. On the FIREWALL > Live page, the State column shows the padlock (padlock.png) icon for SSL-inspected connections.