Enable TLS protection for log or audit data forwarding
You can optionally enable TLS protection for log or audit data forwarding to an external syslog server.
Before you begin
Because there is a connection to an external system, public key infrastructure (PKI) integration, including certificate revocation list (CRL) checking, must already be configured.
You can optionally configure TLS server identity to verify the identity of the syslog server to which log data is forwarded from the Management Server or the Log Server.
For more details about the product and how to configure features, click Help or press F1.
Steps
TLS Profile Properties dialog box
Use this dialog box to define a TLS profile for enabling TLS protection for traffic to and from external components.
Option | Definition |
---|---|
Name | The name of the element. |
TLS Cryptography Suite Set | The cryptographic suite for TLS connections. |
Trusted Certificate Authorities |
Specifies which certificate authorities to trust.
Click Add to add an element to the list, or Remove to remove the selected element. |
Version | The TLS version used. |
Use Only Subject Alt Name
(Optional) |
Uses only Subject Alternative Name (SAN) certificate matching. |
Accept Wildcard Certificate
(Optional) |
Allows the use of wildcards in certificate matching. |
Check Revocation
(Optional) |
Checks against certificate revocation lists (CRLs) whether the certificate has been revoked. The certificate must be signed by a valid certificate authority. |
Delay CRL Fetching For (Optional, NGFW Engine only) |
The time interval for the NGFW Engine to fetch the CRL. If the CRL expires
sooner than the specified interval, the CRL expiration value defines the interval for fetching the CRL. This setting is ignored when the TLS Profile element is used for a Management Server or a Log Server. |
Ignore OCSP Failures For (Optional, NGFW Engine only) |
The number of hours for which the NGFW Engine ignores OCSP
failures. This setting is ignored when the TLS Profile element is used for a Management Server or a Log Server. |
Ignore Revocation Check Failures if There Are Connectivity Problems (Optional, NGFW Engine only) |
When selected, the NGFW Engine ignores all CRL check
failures if connectivity problems are detected. This setting is ignored when the TLS Profile element is used for a Management Server or a Log Server. |
Category (Optional) |
Includes the element in predefined categories. Click Select to select a category. |
Comment (Optional) |
A comment for your own reference. |
TLS Server Identity dialog box
Use this dialog box to define the identity of a TLS server for TLS-protected audit or log data forwarding to an external syslog server, or the identity of an external LDAP or Active Directory server.
Option | Definition |
---|---|
TLS Server Identity Field |
Select the server identity type field to be used.
|
Fetch From Certificate | Opens the Import Certificate dialog box for fetching the value of the server identity field from a
certificate. Note: You can fetch the value of the server identity field from a certificate only if the server identity
field is Distinguished Name, SHA-1, SHA-256,
SHA-512, or MD5.
|
Server Identity Value | Specifies the value for the selected field type. |
Import Certificate dialog box
Use this dialog box to import an externally signed certificate.
Option | Definition |
---|---|
From File | Allows you to import a certificate from a file on your computer. |
Browse | Allows you to select the file to import. |
As Text | Allows you to paste the contents of the certificate as text in the text field. |