The SSL Inspection policy contains the information needed for the firewall to be able to accept and initiate SSL or TLS connections for when intercepting SSL or TLS connections of clients protected by the firewall. The policy object defines the behavior when encountering validation errors or revocation check failures. SSL connections that do not meet these requirements are blocked. The SSL Inspection policy also defines the minimum SSL or TLS version as well as the allowed ciphers. The connection will be terminated if these minimum requirements are not met.
Before You Begin
Verify that the Feature Level of the Forwarding Firewall is set to 7.2 or higher.
Create SSL Inspection Policy Object
Create an SSL Inspection policy object for outbound SSL Inspection.
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
- Click Lock.
- In the left menu, click SSL Inspection.
- Right-click the table and select New Inspection Policy. The Edit SSL Inspection window opens.
- Enter the Name.
- From the SSL Policy Type drop-down list, select Outbound SSL Inspection and, if required, select Download Intermediate CA Certificates automatically to automatically complete and import missing intermediate certificates.
- Configure the SSL Validation Policy settings. For more information on SSL Error Policies, see SSL Inspection in the Firewall.
- Self-Signed Certificates – Select Pass Error to Client, Hide Error from Client, or Block.
- Untrusted Certificates – Select Pass Error to Client, Hide Error from Client, or Block.
- Expired of Not Yet Valid Certificates – Select Pass Error to Client, Hide Error from Client, or Block.
- Revoked Certificates – Select Hide Error from Client, or Block.
- Corrupted Certificates – Select Pass Error to Client, Hide Error from Client, or Block.
- Select the Enable Revocation Check check box to check the revocation status of the certificate via OCSP stapling, OCSP, or CRL.
- Configure the Action on Revocation Check Error:
- Fail Open – If the revocation check fails due to operational errors, the connection is allowed.
- Fail Close – If the revocation check fails due to operational errors, the connection is blocked.
- (optional) Configure Cryptographic Attributes:
- Minimum SSL/TLS Version – Select the minimum SSL or TLS version.
- Cipher Set – Select a preset cipher set, or click Configure to customize the cipher set.
- (optional) Click Configure to customize cipher set.
- Click OK
- Click Send Changes and Activate.
Configure outbound SSL Inspection. For more information, see How to Configure Outbound SSL Inspection.