It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure Inbound SSL Inspection

  • Last updated on

Inbound SSL Inspection allows the firewall to decrypt and secure inbound SSL or TLS connections to servers or services behind the firewall. The firewall uses the server's SSL certificate to terminate the connection. This allows the firewall to define the allowed cipher sets and minimum SSL or TLS version used for the connection. The traffic is then scanned, and the configured policies are applied. The firewall then creates an SSL connection to the server and forwards the traffic to its destination.

ssl_inspection_in.png

Before You Begin

Step 1. Enable SSL Inspection

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Security Policy.
  2. Click Lock.
  3. Select the Enable SSL Inspection check box.
    enable_ssl.png
  4. Click Send Changes and Activate.

Step 2. Create Access Rule with Inbound SSL Inspection

Enable SSL Inspection on the Dst NAT access rule forwarding traffic to the internal server.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
  2. Click Lock.
  3. Either click the plus icon (+) in the top right of the ruleset, or right-click the ruleset and select New > Rule.
  4. Select Dst NAT as the action.
  5. Enter a Name for the rule.
  6. Specify the following settings that must be matched by the traffic to be handled by the access rule:
    • Source – Select Internet
    • Destination – Select the network object containing the external IP address of the firewall.
    • Service – Select the service(s) for which inbound SSL inspection should be used. For example, select SMTP.

    • Target List – Enter the internal IP address(es) of the server, or a select a network object containing the web server IP addresses. For more information, see How to Create a Destination NAT Access Rule.

    • Connection Method – Select Original Source IP.

     dst_NAT_example.png
  7. From the IPS Policy drop-down list, select the IPS policy.
  8. Click the Application Policy link and select:

    • Application Control – Required.
    • SSL Inspection – Required. 
    • Virus Scan – Optional.
    • ATP – Optional. 
    • File Content Scan – Optional.
    inbound_SSL_Inspection_03.png
  9. From the SSL Inspection Policy drop down list, select an SSL Inspection policy for inbound inspection. For more information, see How to Create an SSL Inspection Policy for Inbound SSL Inspection.
    inbound_SSL_Inspection_04.png
  10. Click OK.
  11. Click Send Changes and Activate.

Incoming SSL or TLS connections are now terminated on the firewall before being forwarded to the internal server.

Monitoring and Troubleshooting

SSL Inspection error messages are written in the Firewall/SSL.log file. On the FIREWALL > Live page, the State column shows the padlock (padlock.png) icon for SSL-inspected connections.