It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure SSL Interception in the Firewall

  • Last updated on

Most applications encrypt outgoing connections with SSL or TLS. SSL Interception transparently unencrypts and re-encrypts HTTPS traffic to allow Application Control features (such as the Virus Scanner, IPS, URL Filter, or Safe Search) to inspect the content of SSL-encrypted connections that would otherwise not be visible to the Firewall service. Before configuring SSL Interception, you must install the SSL Interception security certificate (root certificate). The root certificate is used to intercept, proxy, and inspect the HTTP/S session. The firewall can then inspect the HTTPS connections by presenting the client with an SSL certificate that is derived from this root CA.

Do not use SSL Interception in combination with the Barracuda Web Security Service or forward proxy.

Before You Begin

Create or upload the SSL Interception root certificate in the Certificate Manager. You must use a CA certificate (Certificate Authority). For more information, see How to Use and Manage Certificates with the Certificate Manager.  

ssl_cert_01.png

Step 1. Enable SSL Interception

Enable SSL Interception and prepare the root certificate for client download. 

  1. Go to FIREWALL > Settings.
  2. In the SSL Interception section, select the Enable SSL Interception check box.
  3. Select the uploaded root certificate from the Select Certificate drop-down list.
    ssl_insp_01.png
  4. Select Enable Browser Certificate Download.

  5. Select Allow SSLv3 if you must support clients that use SSLv3 only.
  6. In the Domain Exemptions section, add domains that should be excluded from SSL Interception:
    • Enter the domain name and click +.
  7. In the URL Category Exemptions section, add website categories that should not be SSL intercepted.

  8. To automatically check for revoked CA certificates:
    1. Click Show Advanced Options.

    2. Select the Enable CRL checks check box.
    3. In the CRL validation fail behavior section, select the action to be taken if the CRL check fails.

    4. In the Additional Certificates section, add additional trusted CA certificates. These certificates are deemed valid even if the CRL fails.

  9. Click Save.

Step 2. Install the SSL Interception Root Certificate on all Clients

Download and install the security certificate on all clients. To prevent browser warnings and allow transparent SSL Interception, install the certificate into the operating system's or web browser's certificate store.

On every client computer:

  1. Go to:
    https://IP_OF_YOUR_BARRACUDA_FIREWALL:443/cgi-mod/cert_dl.cgi?get_ssl_insp_cert=cer

    OR
      https://IP_OF_YOUR_BARRACUDA_FIREWALL:443/cgi-mod/cert_dl.cgi?get_ssl_insp_cert=pem
  2. Download the certificate to the client computer.
    cert_01.png
  3. Double-click the certificate to import it.
    cert_02.png
  4. Click Install Certificate.
  5. Select Local Machine as the certificate Store Location, and click Next.
    cert_03.png
  6. Select the path where to save the certificate (recommended: default), and click Next.
    cert_04.png
  7. Check the installation settings and click Finish.

Step 3. Enable SSL Interception in Access Rules

SSL Interception can now be enabled on a per-access-rule basis. To use SSL Interception, you must also enable Application Control. For more information, see Access Rules. 

ssl_rule_01.png