Configuring SSL Inspection

You configure SSL inspection rules at the security-policy ssl-inspection level. For more details on the command structure, see Configuring Rules Using UPL.

To create a SSL inspection rule, use the following command:

Admin@nodename# create security-policy ssl-inspection <position> upl-rule

SSL inspection rule parameters:

Parameter

Description

OK

PASS

SSL inspection rule action:

  • OK: decrypt

  • PASS: bypass

  • OK ... forward: decrypt and forward. Specify forward in the rule properties. If you configure a rule with the "Decrypt and forward" action, specify the SSL forwarding profile. For more details on how to create and configure forward profiles using the CLI, see Configuring SSL Forward Profiles.

enabled

Enable/disable a rule:

  • enabled(yes) or enabled(true).

  • enabled(no) or enabled(false).

name

SSL inspection rule name.

Example: name("SSL inspection rule example").

desc

A description of the rule.

Example: desc("SSL inspection rule example configured in CLI").

ssl_forward_profile

SSL forwarding profile. Required if you configure an SSL inspection rule property with the "Decrypt and forward" action. Use the following format: ssl_forward_profile("SSL forward profile example").

ssl_profile

SSL profile; use the following: ssl_profile("Default SSL profile").

For more details about working with SSL profiles using the CLI, see Configuring SSL Profiles.

rule_log

Log traffic information if the rule is triggered. The available options are:

  • rule_log(no) or rule_log(false): disable logging. If rule_log is not specified, logging is disabled.

  • rule_log(yes) or rule_log(true): enable logging.

block_invalid_cert

Block access to servers that provide an incorrect HTTPS certificate, for example, if the certificate is revoked, expired, issued to another domain name, or by an untrusted CA. Available for rules with the Decrypt action:

  • block_invalid_cert(yes) or block_invalid_cert(true): enable blocking

  • block_invalid_cert(no) or block_invalid_cert(false): disable blocking.

check_revoc_cert

Check if the site certificate is found in the revoked certificate list (CRL) and if yes, block the access. Available for rules with the Decrypt action:

  • check_revoc_cert(yes) or check_revoc_cert(true): enable certificate checking

  • check_revoc_cert(no) or check_revoc_cert(false): disable certificate checking.

block_expired_cert

Block expired certificates. Available for rules with the Decrypt action:

  • block_expired_cert(yes) or block_expired_cert(true): enable blocking of expired certificates

  • block_expired_cert(no) or block_expired_cert(false): disable blocking of expired certificates.

block_self_signed_cert

Block self signed certificates. Available for rules with the Decrypt action:

  • block_self_signed_cert(yes) or block_self_signed_cert(true): enable blocking of self signed certificates

  • block_self_signed_cert(no) or block_self_signed_cert(false): disable blocking of self signed certificates.

user

Users and user groups for which the SSL inspection rule applies (local or LDAP).

To add LDAP groups and users, you need to have a correctly configured LDAP connector (for more information about configuring LDAP connectors via the CLI, see the Configuring LDAP Connectors section).

Examples of adding users to a rule:

user = known user = "user" user = "testd.local\\user1" user = ("user", "testd.local\\user1")

src.zone

Traffic source zone.

To specify a source zone, such as Trusted: src.zone = Trusted.

For more details about how to configure zones using CLI, see the Zones section.

src.ip

Add source IP address or domain lists.

To specify a list of IP addresses: src.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a source domain list: src.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

src.geoip

Source GeoIP. Specify a country code (for example, src.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

dst.ip

Add lists of destination IP addresses or domains.

To specify a list of IP addresses: dst.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a destination domain list: dst.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

dst.geoip

To specify a destination GeoIP, it is necessary to specify a country code (for example, dst.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

service

Service type: HTTPS, SMTPS, or POP3S.

To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...).

category

Lists of categories and URL filtering categories for which the rule will be applied. You need to have the appropriate license for URL filtering.

To specify a URL category list: category = lib.category(). Specify the URL category list name in parentheses.

For more details about how to create and configure URL category lists using the CLI, see Configuring URL Categories.

To specify a URL category: category = "URL category name".

url

Lists of domain names for which the SSL inspection rule is applied. You create domain names just like URL lists except that only domain names like www.example.com can be used for HTTPS inspection, not http://www.example.com/home/.

To specify a domain list: url = lib.url(). Specify a URL list name in parentheses.

For more details about how to create and configure URL lists using the CLI, see Configuring URL Lists.

time

Set a schedule for a rule.

To set a schedule: time = lib.time(). Specify a time set group name in parentheses.

For more details on configuring time sets, see Configuring time sets.

To edit an SSL inspection rule, use the following command:

Admin@nodename# set security-policy ssl-inspection <position> upl-rule

To view parameters for all SSL inspection rules that were created, use the following command:

Admin@nodename# show security-policy ssl-inspection

To view parameters for a specific SSL inspection rule, use the following command:

Admin@nodename# show security-policy ssl-inspection <position>

Example of creating a SSL inspection rule:

Admin@nodename# create security-policy ssl-inspection 1 upl-rule OK \ ...user = unknown \ ...ssl_profile("Default SSL profile") \ ...rule_log(yes) \ ...name("Decrypt all test rule") \ ...desc("Description for decrypt all rest rule") \ ...enabled(true) ... Admin@nodename# show security-policy ssl-inspection 1 % ----------------- 1 ----------------- OK \ user = unknown \ desc("Description for decrypt all rest rule") \ rule_log(yes) \ ssl_profile("Default SSL profile") \ enabled(true) \ id("134b7274-01ee-47db-9fc1-a2f06b340b94") \ name("Decrypt all test rule")

To remove a SSL inspection rule, use the following command:

Admin@nodename# delete security-policy ssl-inspection <position>