TLS inspection configuration overview

To use TLS inspection, you must configure TLS Credentials elements and Client Protection Certificate Authority elements. You must also activate client protection or server protection in the engine properties and enable TLS inspection in the Access rules.

Figure: Elements in the configuration



The TLS Credentials and the Client Protection Certificate Authority elements are specified in the properties of the engine that provides TLS Inspection. The engine uses the private key and certificate stored in the TLS Credentials to decrypt traffic to and from TLS servers in the protected network for inspection.

The Client Protection Certificate Authority element contains a private key and a certificate. The engine uses the private key stored in the Client Protection Certificate Authority element to sign the certificates presented to the end user, and the certificate to negotiate encrypted connections with TLS servers.

TLS Match elements define matching criteria for the use of the TLS protocol in traffic, and allow you to prevent specified traffic from being decrypted. TLS Matches that deny decrypting are applied globally, even if the TLS Match elements are not used in the policy.

The HTTPS Inspection Exceptions element is a list of domains that are excluded from decryption and inspection. The HTTPS Inspection Exceptions can be specified in the Protocol Parameters of a custom HTTPS Service, which is used in the Access rules to select HTTPS traffic for inspection.

The Access rules define which traffic is decrypted and inspected. You can select specific traffic for decryption and inspection, or you can enable the decryption and inspection of all TLS traffic.

When a certificate for client or server protection has been uploaded to the engine, it is possible to unintentionally enable TLS decryption for all traffic in one of the following ways:
  • Adding a Network Application that allows or requires the use of TLS to an Access rule
  • Enabling the logging of Application information in the Access rules
  • Enabling Deep Inspection in an Access rule with the Service cell of the rule set to ANY
TLS inspection configuration overview:
  1. To configure server protection, create TLS Credentials elements.
  2. To configure client protection, create Client Protection Certificate Authority elements.
  3. (Optional) Define custom Trusted Certificate Authority elements in addition to the default system elements.
  4. (Optional) To exclude certain domains from decryption and inspection, define a TLS Match element or an HTTPS Inspection Exceptions element.
  5. Activate client protection or server protection in the properties of the engine and enable TLS inspection in the Access rules.