You configure SSL inspection rules at the security-policy ssl-inspection level. For more details on the command structure, see Configuring Rules Using UPL.
To create a SSL inspection rule, use the following command:
Admin@nodename# create security-policy ssl-inspection <position> upl-rule
SSL inspection rule parameters:
Parameter |
Description |
---|---|
OK PASS |
SSL inspection rule action:
|
enabled |
Enable/disable a rule:
|
name |
SSL inspection rule name. Example: name("SSL inspection rule example"). |
desc |
A description of the rule. Example: desc("SSL inspection rule example configured in CLI"). |
ssl_forward_profile |
SSL forwarding profile. Required if you configure an SSL inspection rule property with the "Decrypt and forward" action. Use the following format: ssl_forward_profile("SSL forward profile example"). |
ssl_profile |
SSL profile; use the following: ssl_profile("Default SSL profile"). For more details about working with SSL profiles using the CLI, see Configuring SSL Profiles. |
rule_log |
Log traffic information if the rule is triggered. The available options are:
|
block_invalid_cert |
Block access to servers that provide an incorrect HTTPS certificate, for example, if the certificate is revoked, expired, issued to another domain name, or by an untrusted CA. Available for rules with the Decrypt action:
|
check_revoc_cert |
Check if the site certificate is found in the revoked certificate list (CRL) and if yes, block the access. Available for rules with the Decrypt action:
|
block_expired_cert |
Block expired certificates. Available for rules with the Decrypt action:
|
block_self_signed_cert |
Block self signed certificates. Available for rules with the Decrypt action:
|
user |
Users and user groups for which the SSL inspection rule applies (local or LDAP). To add LDAP groups and users, you need to have a correctly configured LDAP connector (for more information about configuring LDAP connectors via the CLI, see the Configuring LDAP Connectors section). Examples of adding users to a rule: user = known user = "user" user = "testd.local\\user1" user = ("user", "testd.local\\user1") |
src.zone |
Traffic source zone. To specify a source zone, such as Trusted: src.zone = Trusted. For more details about how to configure zones using CLI, see the Zones section. |
src.ip |
Add source IP address or domain lists. To specify a list of IP addresses: src.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section. To specify a source domain list: src.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section. |
src.geoip |
Source GeoIP. Specify a country code (for example, src.geoip = AE). Click here for the list of ISO 3166-1 country codes. |
dst.ip |
Add lists of destination IP addresses or domains. To specify a list of IP addresses: dst.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section. To specify a destination domain list: dst.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section. |
dst.geoip |
To specify a destination GeoIP, it is necessary to specify a country code (for example, dst.geoip = AE). Click here for the list of ISO 3166-1 country codes. |
service |
Service type: HTTPS, SMTPS, or POP3S. To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...). |
category |
Lists of categories and URL filtering categories for which the rule will be applied. You need to have the appropriate license for URL filtering. To specify a URL category list: category = lib.category(). Specify the URL category list name in parentheses. For more details about how to create and configure URL category lists using the CLI, see Configuring URL Categories. To specify a URL category: category = "URL category name". |
url |
Lists of domain names for which the SSL inspection rule is applied. You create domain names just like URL lists except that only domain names like www.example.com can be used for HTTPS inspection, not http://www.example.com/home/. To specify a domain list: url = lib.url(). Specify a URL list name in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL Lists. |
time |
Set a schedule for a rule. To set a schedule: time = lib.time(). Specify a time set group name in parentheses. For more details on configuring time sets, see Configuring time sets. |
To edit an SSL inspection rule, use the following command:
Admin@nodename# set security-policy ssl-inspection <position> upl-rule
To view parameters for all SSL inspection rules that were created, use the following command:
Admin@nodename# show security-policy ssl-inspection
To view parameters for a specific SSL inspection rule, use the following command:
Admin@nodename# show security-policy ssl-inspection <position>
Example of creating a SSL inspection rule:
Admin@nodename# create security-policy ssl-inspection 1 upl-rule OK \ ...user = unknown \ ...ssl_profile("Default SSL profile") \ ...rule_log(yes) \ ...name("Decrypt all test rule") \ ...desc("Description for decrypt all rest rule") \ ...enabled(true) ... Admin@nodename# show security-policy ssl-inspection 1 % ----------------- 1 ----------------- OK \ user = unknown \ desc("Description for decrypt all rest rule") \ rule_log(yes) \ ssl_profile("Default SSL profile") \ enabled(true) \ id("134b7274-01ee-47db-9fc1-a2f06b340b94") \ name("Decrypt all test rule")
To remove a SSL inspection rule, use the following command:
Admin@nodename# delete security-policy ssl-inspection <position>