Create TLS Match elements for network application detection

TLS Match elements define matching criteria for the use of the TLS (transport layer security) protocol in traffic.

In addition to the predefined TLS Match elements used in predefined Network Application elements, you can optionally define your own TLS Match elements.

TLS Match elements can match traffic based on the following criteria:
  • Whether certificate validation succeeded, failed, or was not performed.
  • The server domain name in a valid certificate.
  • Specific reasons a certificate is regarded as invalid if certificate validation failed.
  • The domain name in the Server Name Indication (SNI) field of the TLS Client Hello packet.

TLS Match elements also specify whether to decrypt TLS traffic to particular Internet domains for inspection. TLS Match elements that deny decryption are applied globally. Even if the TLS Match element is not used in the properties of any Network Application elements or in the Access rules, matching connections are never decrypted. Denying decryption in a TLS Match prevents network applications from being detected in encrypted connections to the specified domains. If the server certificate provides sufficient information to identify the network application without decrypting the client communications, you can alternatively specify that decryption is not necessary for network application identification in the Network Application properties.

A Network Application element matches a TLS connection only if a TLS Match element in the Network Application also matches. However, TLS Match elements used in Service Definitions override the TLS Match of a Network Application. In this case, the rule matches when the TLS Match elements specified in the rule match.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Expand the Other Elements branch.
  3. Right-click TLS Matches, then select New TLS Match.
  4. In the Name field, enter a unique name.
  5. (Optional) Select Deny Decrypting to prevent connections from being decrypted for inspection.
    Note: Selecting this option prevents the network application where the TLS Match is used from being identified if the traffic is encrypted. If you want to specify that decryption is not necessary for identifying the network application, use the Application Identifiable by TLS Match Alone option in the Network Application properties instead.
  6. To define whether the server certificate validity is checked and what to match, select an option from the Match Certificate Validation drop-down list.
  7. Configure the additional settings depending on the option that you selected from the Match Certificate Validation drop-down list:
    • Validation Succeeded — Click Add, then enter the fully qualified domain name to match in the server certificate.
    • Validation Failed — (Optional) Select the specific types of invalid certificates to match.
    • No Validation — There are no additional settings to configure.
  8. Click OK.

TLS Match Properties dialog box

Use this dialog box to define the properties of TLS Match elements.

Option Definition
Name Specifies a unique name for the element.
Comment An optional comment for your reference.
Supported Engine Versions Specifies the supported engine versions for the TLS Match element.
Deny Decrypting When selected, prevents connections from being decrypted for inspection.
Note: Selecting Deny Decrypting prevents the Network Application element where the TLS Match is used from being identified if the traffic is encrypted. To specify that decryption is not necessary for identifying the network application, use the Application Identifiable by TLS Match Alone option in the Network Application properties instead.
Match Certificate Validation Defines whether the server certificate validity is checked, and what to match.
  • Validation succeeded — Checks the server certificate validity and matches server certificates that are valid.
  • Validation failed — Checks the server certificate validity and matches server certificates that are invalid. You can select the specific types of invalid certificates to match.
  • No validation — The server certificate validity is not checked. Matches any certificate.
Option Definition
When Match Certificate Validation is Validation succeeded
Matching Domains A list of the fully qualified domain names to match in the server certificate.
Add Opens the Add Domain name dialog box.
Remove Removes the selected domain name.
Option Definition
When Match Certificate Validation is Validation failed
Match self-signed certificates Select this option if you want self-signed certificates to match.
Match non-trusted CAs Select this option if you want certificates signed by non-trusted CAs to match.
Match expired certificates Select this option if you want expired certificates to match.
Match invalid certificates Select this option if you want invalid certificates to match.