Create TLS Match elements for network application detection
TLS Match elements define matching criteria for the use of the TLS (transport layer security) protocol in traffic.
In addition to the predefined TLS Match elements used in predefined Network Application elements, you can optionally define your own TLS Match elements.
- Whether certificate validation succeeded, failed, or was not performed.
- The server domain name in a valid certificate.
- Specific reasons a certificate is regarded as invalid if certificate validation failed.
- The domain name in the Server Name Indication (SNI) field of the TLS Client Hello packet.
TLS Match elements also specify whether to decrypt TLS traffic to particular Internet domains for inspection. TLS Match elements that deny decryption are applied globally. Even if the TLS Match element is not used in the properties of any Network Application elements or in the Access rules, matching connections are never decrypted. Denying decryption in a TLS Match prevents network applications from being detected in encrypted connections to the specified domains. If the server certificate provides sufficient information to identify the network application without decrypting the client communications, you can alternatively specify that decryption is not necessary for network application identification in the Network Application properties.
A Network Application element matches a TLS connection only if a TLS Match element in the Network Application also matches. However, TLS Match elements used in Service Definitions override the TLS Match of a Network Application. In this case, the rule matches when the TLS Match elements specified in the rule match.
For more details about the product and how to configure features, click Help or press F1.
Steps
TLS Match Properties dialog box
Use this dialog box to define the properties of TLS Match elements.
Option | Definition |
---|---|
Name | Specifies a unique name for the element. |
Comment | An optional comment for your reference. |
Supported Engine Versions | Specifies the supported engine versions for the TLS Match element. |
Deny Decrypting | When selected, prevents connections from being decrypted for inspection.
Note: Selecting
Deny Decrypting prevents the Network Application element where the TLS Match is used from being identified if the traffic is encrypted. To specify that decryption is not necessary for identifying the network application, use the
Application Identifiable by TLS Match Alone option in the Network Application properties instead.
|
Match Certificate Validation | Defines whether the server certificate validity is checked, and what to match.
|
Option | Definition |
---|---|
When Match Certificate Validation is Validation succeeded | |
Matching Domains | A list of the fully qualified domain names to match in the server certificate. |
Add | Opens the Add Domain name dialog box. |
Remove | Removes the selected domain name. |
Option | Definition |
---|---|
When Match Certificate Validation is Validation failed | |
Match self-signed certificates | Select this option if you want self-signed certificates to match. |
Match non-trusted CAs | Select this option if you want certificates signed by non-trusted CAs to match. |
Match expired certificates | Select this option if you want expired certificates to match. |
Match invalid certificates | Select this option if you want invalid certificates to match. |