Example: client protection in TLS inspection
The administrators also want to detect and block -based attacks targeting the browsers of users in Company A’s network to protect the workstations and internal networks.
In addition to searching for attacks, the administrators also want to enable malware scanning. However, the employees at Company A often use online banking services that are secured with HTTPS, and these connections should not be inspected. The administrators decide to configure TLS Inspection to detect and block attacks that are encrypted inside an SSL tunnel and use a TLS Match element to globally exclude the online banking domains from decryption and inspection.
The administrators do the following:
- Create a Client Protection Certificate Authority element and generate a new certificate and private key. In their network environment, the administrators add the certificate of the Client Protection Certificate Authority element to the list of trusted certificate authorities in the users’ browsers.
- Enable TLS inspection and select the Client Protection Certificate Authority element in the Engine Editor.
- Create a TLS Match element that prevents decryption when certificate validation succeeds for the domain names for the online banking sites that are excluded from decryption. Because the TLS Match is applied globally, the administrators do not have to use it in any specific rules.
- Create Access rules with the default HTTPS (with decryption) Service as the Service.
- On Firewalls, use the Inspection rules from the Medium-Security Inspection Policy to look for attacks in HTTP traffic and check the HTTP traffic against the anti-malware signatures. On IPS engines, use the Inspection rules from the IPS Template to look for attacks in HTTP traffic.
- Save and install the policy.