We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure Inbound SSL Inspection

  • Last updated on

Inbound SSL Inspection allows the firewall to decrypt and secure inbound SSL or TLS connections to servers or services behind the firewall. The firewall uses the server's SSL certificate to terminate the connection. This allows the firewall to define the allowed cipher sets and minimum SSL or TLS version used for the connection. The traffic is then scanned, and the configured policies are applied. The firewall then creates an SSL connection to the server and forwards the traffic to its destination.

Before You Begin

Step 1. Enable SSL Inspection

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Security Policy.
  2. Click Lock.
  3. Select the Enable SSL Inspection check box.
    inbound_SSL_Inspection_01.png
  4. Click Send Changes and Activate.

Step 2. Create Access Rule with Inbound SSL Inspection

Enable SSL Inspection on the Dst NAT access rule forwarding traffic to the internal server.

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules.
  2. Click Lock
  3. Either click the plus icon (+) in the top right of the ruleset, or right-click the ruleset and select New > Rule.
  4. Select Dst NAT as the action.
  5. Enter a Name for the rule.
  6. Specify the following settings that must be matched by the traffic to be handled by the access rule:
    • Source – Select Internet
    • Destination – Select the network object containing the external IP address of the firewall.
    • Service – Select HTTPS.

    • Target List – Enter the internal IP address(es) of the server, or a select a network object containing the web server IP addresses. For more information, see How to Create a Destination NAT Access Rule

    • Connection Method – Select Original Source IP.

     inbound_SSL_Inspection_02.png
  7. From the IPS Policy drop-down list, select the IPS policy.
  8. Click the Application Policy link and select:

    • Application Control – Required.
    • SSL Inspection – Required. 
    • Virus Scan – Optional.
    • ATP – Optional. 
    • File Content Scan – Optional.
    inbound_SSL_Inspection_03.png
  9. From the SSL Inspection Policy drop down list, select an SSL Inspection policy for inbound inspection. For more information, see How to Create an SSL Inspection Policy for Inbound SSL Inspection.
    inbound_SSL_Inspection_04.png
  10. Click OK.
  11. Click Send Changes and Activate.

Incoming SSL or TLS connections are now terminated on the firewall before being forwarded to the internal server.

Monitoring and Troubleshooting

SSL Inspection error message are written the Firewall/SSL.log file. On the FIREWALL > Live page the State column show the padlock (padlock.png) icon for SSL inspected connections.

Next Steps

Inbound SSL Inspection can be combined with the following features:

Last updated on