Activate TLS inspection on NGFW Engines

Depending on the elements you select in the engine properties, you can activate client protection alone, server protection alone, or client and server protection together.

CAUTION:

Uploading TLS Credentials or a Client Protection Certificate Authority elements to the engine might enable decryption of TLS traffic that is not excluded from TLS inspection. The following configurations might enable decryption of TLS traffic:

  • Adding a Network Application that allows or requires the use of TLS to an Access rule
  • Selecting the Enforced option for Log Application Information in the Access rules
  • Enabling Deep Inspection in an Access rule if the Service cell contains a Network Application or a Service that does not include a Protocol Agent

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Click NGFW Engines.
  3. Right-click an engine element, then select Edit <element type>.
  4. From the navigation pane on the left, select Add-Ons > TLS Inspection.
  5. (For client protection) From the Client Protection Certificate Authority drop-down list, select a Client Protection Certificate Authority element.
    • To select an existing element, click Select and select the element.
    • To create an element, click New.
  6. (For server protection) Click Add, then select one or more TLS Credentials elements and click Select.
  7. Click Save and Refresh to transfer the configuration changes and upload the certificates.

Engine Editor > Add-Ons > TLS Inspection

Use this branch to activate TLS inspection. You can configure TLS inspection for client or server protection.

Option Definition
Client Protection Certificate Authority Select the Client Protection Certificate Authority element to use for client protection.
TLS Credentials Specifies the Server Protection Credentials elements that are used for server protection. Click Add to add an element to the list, or Remove to remove the selected element.
Check Certificate Revocation When selected, the NGFW Engine uses CRL or OCSP to check whether certificates have been revoked.
Decrypt All Traffic When selected, the NGFW Engine forces all traffic to be decrypted. When the checkbox is not selected, the NGFW Engine either decrypts or does not decrypt traffic according to the settings in TLS Match elements.
Cryptography Suite Set Specifies the TLS Cryptography Suite Set element that defines which cryptographic algorithms are allowed for TLS traffic. Click Select to select an element.