Create TLS Profile elements

TLS Profile elements define the settings for cryptography, trusted certificate authorities, and the TLS version used in TLS-protected traffic.

You can use TLS Profile elements for the following purposes:

  • Enabling TLS-protected audit or log data forwarding to an external syslog server
  • Enabling TLS encryption for LDAP connections between the NGFW Engine and external LDAP or Active Directory servers
  • Defining the TLS settings for HTTPS connections for browser-based user authentication
  • Defining the trusted certificate authority for client certificate authentication for browser-based user authentication
  • Authenticating connections between the NGFW Engine and the server on which Forcepoint User ID Service has been installed

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to Administration.
  2. Browse to Certificates > Other Elements > TLS Profiles
  3. Right-click TLS Profiles, then select New TLS Profile.
  4. In the Name field, enter a unique name for the TLS Profile.
  5. Click Select next to the TLS Cryptography Suite Set field, then select a TLS Cryptography Suite Set element.
  6. Select the trusted Certificate Authorities.
    • Select Trust Any if you want to allow the use of any valid certificate authority.
    • Select Trust Selected, then click Add to specify the trusted Certificate Authorities.
  7. Configure the other settings as needed.
  8. Click OK.

TLS Profile Properties dialog box

Use this dialog box to define a TLS profile for enabling TLS protection for traffic to and from external components.

Option Definition
Name The name of the element.
TLS Cryptography Suite Set The cryptographic suite for TLS connections.
Trusted Certificate Authorities

Specifies which certificate authorities to trust.

  • Trust any
  • Trust selected

Click Add to add an element to the list, or Remove to remove the selected element.
Version The TLS version used.
Use Only Subject Alt Name

(Optional)

Uses only Subject Alternative Name (SAN) certificate matching.
Accept Wildcard Certificate

(Optional)

Allows the use of wildcards in certificate matching.
Check Revocation

(Optional)

Checks against certificate revocation lists (CRLs) whether the certificate has been revoked. The certificate must be signed by a valid certificate authority.
Delay CRL Fetching For

(Optional, NGFW Engine only)

The time interval for the NGFW Engine to fetch the CRL. If the CRL expires sooner than the specified interval, the CRL expiration value defines the interval for fetching the CRL.

This setting is ignored when the TLS Profile element is used for a Management Server or a Log Server.

Ignore OCSP Failures For

(Optional, NGFW Engine only)

The number of hours for which the NGFW Engine ignores OCSP failures.

This setting is ignored when the TLS Profile element is used for a Management Server or a Log Server.

Ignore Revocation Check Failures if There Are Connectivity Problems

(Optional, NGFW Engine only)

When selected, the NGFW Engine ignores all CRL check failures if connectivity problems are detected.

This setting is ignored when the TLS Profile element is used for a Management Server or a Log Server.

Category

(Optional)

 Includes the element in predefined categories. Click Select to select a category.
Comment

(Optional)

 A comment for your own reference.