Inbound SSL Inspection allows the firewall to decrypt and secure inbound SSL or TLS connections to servers or services behind the firewall. The firewall uses the server's SSL certificate to terminate the connection. This allows the firewall to define the allowed cipher sets and minimum SSL or TLS version used for the connection. The traffic is then scanned, and the configured policies are applied. The firewall then creates an SSL connection to the server and forwards the traffic to its destination.
Before You Begin
- Verify that the Firewall Feature level is set to 7.2 or higher.
- Create an SSL Inspection policy for inbound SSL Inspection. For more information, see How to Create an SSL Inspection Policy for Inbound SSL Inspection.
Step 1. Enable SSL Inspection
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Security Policy.
- Click Lock.
- Select the Enable SSL Inspection check box.
- Click Send Changes and Activate.
Step 2. Create Access Rule with Inbound SSL Inspection
Enable SSL Inspection on the Dst NAT access rule forwarding traffic to the internal server.
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
- Click Lock.
- Either click the plus icon (+) in the top right of the ruleset, or right-click the ruleset and select New > Rule.
- Select Dst NAT as the action.
- Enter a Name for the rule.
- Specify the following settings that must be matched by the traffic to be handled by the access rule:
- Source – Select Internet.
- Destination – Select the network object containing the external IP address of the firewall.
Service – Select the service(s) for which inbound SSL inspection should be used. For example, select SMTP.
Target List – Enter the internal IP address(es) of the server, or a select a network object containing the web server IP addresses. For more information, see How to Create a Destination NAT Access Rule.
Connection Method – Select Original Source IP.
- From the IPS Policy drop-down list, select the IPS policy.
Click the Application Policy link and select:
- Application Control – Required.
- SSL Inspection – Required.
- Virus Scan – Optional.
- ATP – Optional.
- File Content Scan – Optional.
- Application Control – Required.
- From the SSL Inspection Policy drop down list, select an SSL Inspection policy for inbound inspection. For more information, see How to Create an SSL Inspection Policy for Inbound SSL Inspection.
- Click OK.
- Click Send Changes and Activate.
Incoming SSL or TLS connections are now terminated on the firewall before being forwarded to the internal server.
Monitoring and Troubleshooting
SSL Inspection error messages are written in the Firewall/SSL.log file. On the FIREWALL > Live page, the State column shows the padlock () icon for SSL-inspected connections.