It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure Outbound SSL Inspection

  • Last updated on

Outbound SSL Inspection allows the firewall to inspect SSL or TLS traffic when clients behind the firewall access SSL-encrypted services in the Internet. Depending on the settings in the SSL Inspection policy used, various SSL errors are handled directly on the firewall, without allowing the user to override this decision. For example, it is possible to block the users from accepting self-signed certificates.

ssl_inspection_outbound.png

Before You Begin

Step 1. Upload the SSL Certificate and Key to the Certificate Store

CA Certificates

Upload the certificate and, optionally, key to the certificate store.

  1. Go to the Certificate Store. On a stand-alone firewall, the certificate store is in the Advanced Configuration; on the Control Center it is in the Global Settings, Range Settings or Cluster Settings.

  2. Click Lock.
  3. In the upper-right corner, click + and select Import new Certificate Store Entry from File or Import new Certificate Store Entry from PKCS12.
    cert_import.png
  4. Select the certificate file and click Open.
  5. (optional) Enter the Password and click OK.
  6. Enter a Name and click OK.
  7. (optional) If needed, right-click the certificate and select Assign Key to Certificate Store Entry.
    1. Select the certificate key file and click Open.
    2. Enter a Name and click OK.
  8. Click Send Changes and Activate.
Self-Signed Certificates
  1. Go to the Certificate store. On a stand-alone firewall, the certificate store is in the Advanced Configuration; on the Control Center, it is in the Global Settings, Range Settings or Cluster Settings.
  2. Click Lock.
  3. Right-click in the table and select Create Self Signed Certificate, or use the respective button at the top right of the window.
    cert_create1.png
  4. Select Create Self Signed Certificate. The Create Self Signed Certificate window opens.
  5. Enter a Name for the certificate.
  6. (optional) Enter the Key Length.
  7. Click Create to create a key,
  8. Select the key to import, and click Open.
    cert_create2.png
  9. In the Subject - Issuer section, fill in the required certificate information.
  10. Click OK.

The certificate used for outbound SSL Inspection is now listed in the certificate store.

outbound_SSL_Inpection_00b.png

Step 2. Enable SSL Inspection

  1. Go to CONFIGURATION  > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Security Policy.
  2. Click Lock.
  3. Select the Enable SSL Inspection check box.
    outbound_SSL_Inspection_01.png
  4. Select the Root Certificate uploaded to the certificate store in step 1 from the drop-down list. 
    outbound_SSL_Inspection_02.png
  5. Configure SSL Inspection Exception Handling
    • Domain Exceptions – Enter the domain names that are exempt from SSL Inspection. Subdomains are automatically included. Using * wildcards is allowed.
    • URL Category Exceptions – Select URL Filter categories excluded from SSL Inspection.
    outbound_SSL_Inspection_04.png
  6. Click Send Changes and Activate.

Step 3. Create Access Rule for Outbound SSL Inspection

Enable SSL Inspection on the access rule handling outbound traffic.

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules.
  2. Click Lock
  3. Either click the plus icon (+) in the top right of the ruleset, or right-click the ruleset and select New > Rule.
  4. Select Pass as the action.
  5. Enter a Name for the rule.
  6. Specify the following settings that must be matched by the traffic to be handled by the access rule:
    • Source – Select the internal network.
    • Destination – Select Internet

    • Service – Select the services. E.g., HTTPS, FTPS, SMTPS,...

    • Connection Method – Select Dynamic NAT.

    outbound_SSL_Inspection_05.png
  7. Click the Application Policy link and select:

    • Application Control – Required.
    • SSL Inspection – Required. 
    • Virus Scan – Optional.
    • ATP – Optional. 
    • File Content Scan – Optional.
    • Safe Search – Optional.
    • Google Accounts – Optional.
    outbound_SSL_Inspection_06.png
  8. From the SSL Inspection Policy drop down list, select an SSL Inspection policy for outbound SSL inspection. For more information, see How to Create an SSL Inspection Policy for Inbound SSL Inspection.
    outbound_SSL_Inspection_07.png
  9. Click OK.
  10. Click Send Changes and Activate.

Outbound SSL or TLS connections are now inspected by the firewall.

Monitoring and Troubleshooting

SSL Inspection error messages are written in the Firewall/SSL.log file. On the FIREWALL > Live page, the State column shows the padlock (padlock.png) icon for SSL-inspected connections.

firewall_live_outbound.png

Next Steps

Outbound SSL Inspection can be combined with the following features: