Using an SSL profile, you can specify SSL protocols or individual encryption and digital signature algorithms that can later be used in SSL inspection rules as well as web console, auth page, block page, and web portal settings.
To create an SSL profile, go to the Libraries --> SSL profiles section, click Add, and provide the desired settings:
Name |
Description |
---|---|
Name |
The name of the SSL profile. |
Description |
A description of the SSL profile. |
SSL protocols |
Min TLS version: sets the minimum TLS version that can be used with this profile. Max TLS version: sets the maximum TLS version that can be used with this profile. These two settings determine the TLS version range that will be supported by this profile. |
Ciphers suites |
In this section, you can choose the desired encryption and digital signature algorithms. The enumerated options are presented as strings listing the specific algorithm pairs. The administrator may choose to select only those algorithm pairs that they deem necessary for the secure operation of the organization. The supported combinations are:
|
Set encryption algorithms for standard protocols |
You can use this section to facilitate the selection of encryption and digital signature algorithms for standard TLS protocols. The administrator can specify the desired TLS protocol version in the Select protocol and set ciphers set field and click Apply, after which the algorithms that match the selected protocol versions will be automatically selected. You can repeat the process to add multiple TLS protocol versions. |
There are several default SSL profiles in the product that can be used by the administrator as is or edited/deleted if necessary. The following predefined SSL profiles exist:
Name |
Description |
---|---|
Default SSL profile |
Contains encryption and digital signature algorithms supported by TLS v1.1 to TLS v1.2. These are the most common protocol versions currently used in the Internet. This profile is used by default for:
|
Default SSL profile (TLSv1.3) |
Contains encryption and digital signature algorithms supported by TLS v1.3. Not used by default. |
Default SSL profile (GOST) |
Contains encryption and digital signature algorithms supported by TLS with GOST algorithms (TLS GOST2012256 with 28147 CNT IMIT and TLS GOSTR341001 with 28147 CNT IMIT). Can be used in organizations that require these algorithms, e.g., for the web portal. The browsers used must also support these protocols. Not used by default. |
Default SSL profile (web console) |
Contains encryption and digital signature algorithms supported by TLS v1.0 to TLS v1.2. This profile is used by default to provide SSL access to the web console. Important! Use caution when editing this profile. Specifying algorithms not supported by your browser can cause loss of access to the web console! |