You configure SSL inspection rules at the security-policy ssl-inspection level. For more details on the command structure, see Configuring Rules Using UPL.
|
Parameter |
Description |
|---|---|
|
OK PASS |
SSL inspection rule action:
|
|
enabled |
Enable/disable a rule:
|
|
name |
SSL inspection rule name. Example: name("SSL inspection rule example"). |
|
desc |
A description of the rule. Example: desc("SSL inspection rule example configured in CLI"). |
|
ssl_forward_profile |
SSL forwarding profile. Required if you configure an SSL inspection rule property with the "Decrypt and forward" action. Format: ssl_forward_profile("SSL forward profile example"). |
|
ssl_profile |
SSL profile. Example: ssl_profile("Default SSL profile"). For more details about working with SSL profiles using the CLI, see Configuring SSL Profiles. |
|
rule_log |
Log traffic information if the rule is triggered. The available options are:
|
|
block_invalid_cert |
Block access to servers that provide an incorrect HTTPS certificate, for example, if the certificate is revoked, expired, issued to another domain name, or by an untrusted CA. Available for rules with the Decrypt action:
|
|
check_revoc_cert |
Check if the site certificate is found in the revoked certificate list (CRL) and if yes, block the access. Available for rules with the Decrypt action:
|
|
block_expired_cert |
Block expired certificates. Available for rules with the Decrypt action:
|
|
block_self_signed_cert |
Block self signed certificates. Available for rules with the Decrypt action:
|
|
user |
Users and user groups for which the SSL inspection rule applies (local or LDAP). To add LDAP groups and users, you need to have a correctly configured LDAP connector (for more information about configuring LDAP connectors via the CLI, see Configuring LDAP connectors). The following line describes how to add a local user (local_user) and group (Local Group), a user (example.local\AD_user), and an LDAP group (AD group):
user = (local_user, "CN=Local Group, DC=LOCAL", "example.loc\\AD_user", "CN=AD group, OU=Example, DC= example, DC=loc")The Active Directory domain example.loc has been already configured. When adding LDAP users and groups, you can specify a list of paths on the server, starting from which the system will search for users and groups. |
|
src.zone |
Traffic source zone. To specify a source zone, such as Trusted: src.zone = Trusted. For more details about configuring zones using the CLI, see Zones. |
|
src.ip |
Add source IP address or domain lists. Example for IP addresses: src.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses. Example for domains: src.ip = lib.url(). Specify the URL to which necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists. |
|
src.geoip |
Source GeoIP. Specify a country code (for example, src.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15. |
|
dst.ip |
Add lists of destination IP addresses or domains. To specify an IP address list: dst.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses. To specify a domain list: dst.ip = lib.url(). Specify the URL to which the necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists. |
|
dst.geoip |
Destination GeoIP. Specify a country code (for example, dst.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15. |
|
service |
Service type: HTTPS, SMTPS, or POP3S. To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...). |
|
category |
Lists of categories and URL filtering categories for which the rule will be applied. You need to have the appropriate license for URL filtering. To specify a URL category list: category = lib.category(). Specify the URL category list name in parentheses. For more details about how to create and configure URL category lists using the CLI, see Configuring URL categories. To specify a URL category: category = "URL category name". |
|
url |
Lists of domain names for which the SSL inspection rule is applied. You create domain names just like URL lists except that only domain names like www.example.com can be used for HTTPS inspection, not http://www.example.com/home/. To specify a domain list: url = lib.url(). Specify a URL list name in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists. |
|
time |
Set a schedule for a rule. To set a schedule: time = lib.time(). Specify a time set group name in parentheses. For more details on configuring time sets, see Configuring time sets. |