SSL/TLS inspection rules
With SSL/TLS inspection rules, you can intercept and decrypt SSL and TLS connections over TCP, enabling XG Firewall to enforce secure connections between clients and web servers.
SSL/TLS inspection enables the prevention of malware transmitted through encrypted connections.
You can enforce policy-driven connections and decryption for inbound and outbound SSL/TLS traffic based on the traffic and risk level.
SSL/TLS inspection rules don't affect the decryption of traffic handled by the web proxy. You specify the method of web filtering (web proxy or the DPI engine) in firewall rules. By default, XG Firewall uses the DPI engine, applying SSL/TLS inspection rules to traffic matching the firewall rule criteria.
Rule table actions
- You can filter the rules by the source, destination, and rule ID.
- To reset the rule filter, select Reset filter.
Click More options to specify the following actions:
- To edit or delete a rule, select the action.
- To clone or add a rule next to an existing rule, select the action.
- To turn on or turn off a rule, select the switch.
To change the position of a rule, click and drag the Rule handle (). XG Firewall evaluates rules from the top down until
it finds a match. Once it finds a match for the packet, it doesn’t evaluate subsequent rules. Position
the specific rules above the less specific rules.
SSL/TLS inspection rules
SSL/TLS inspection detects SSL/TLS traffic on any TCP port. Inspection rules apply to detected SSL/TLS connections. You can specify rules to decrypt traffic based on the source, destination, users and groups, services, websites, and web categories. To take effect, the rule must find a match in all criteria.
You need to select a decryption profile for each rule to specify the action for traffic with issues, such as insecure protocol versions, SSL compression, unrecognized cipher suites, cipher algorithms to block, certificate errors, or connections that exceed the firewall's decryption capabilities. After decrypting and inspecting the traffic, XG Firewall re-encrypts the traffic with the re-signing certificate authority that you specify.
You can use SSL/TLS inspection rules in these cases:
- Implement policy-driven decryption and meet compliance requirements.
- Prevent malware transmission through encrypted traffic.
- Apply web content policies to encrypted traffic to prevent unwanted uploads and downloads without obstructing general browsing.
Exclusions to SSL/TLS inspection rules
XG Firewall provides a default exclusion rule Exclusions by website or category that prevents connections to certain websites from being decrypted. The rule has action set to Don't decrypt and the decryption profile set to Maximum compatibility.
The rule is permanently positioned at the top of the SSL/TLS inspection rule table. SSL/TLS inspection rules are evaluated top down in the rule table.
The exclusion rule contains the following default exclusion lists:
- Local TLS exclusion list: The list is
empty by default. You can add websites to this list by troubleshooting in the Control center or Log viewer. To edit this list, go to .
Websites and browsers that use certificate pinning block the requested page fully or partially when SSL/TLS inspection is turned on. If an error message is shown, it may not show an identifiable reason. If you want to bypass SSL/TLS inspection, you can use the local TLS exclusion list to allow the domains.
- Managed TLS exclusion list: The list contains websites known to be incompatible with SSL/TLS inspection and is updated through firmware updates.
You can exclude web categories, URL groups, users, source and destination IP addresses and networks by creating your own exclusion rules and placing them immediately below the default rule. Add only connections you don’t want to be decrypted by other SSL/TLS inspection rules to an exclusion rule.
SSL/TLS inspection rules are applied independently of firewall rules. Inspection rules continue to enforce the specified exclusions even if you don't select a web policy in firewall rules.
You can use both web exceptions and SSL/TLS exclusion rules to stop connections from being decrypted. For details of how they differ in enforcing HTTPS decryption-related exceptions, see the table below:
SSL/TLS exclusion list |
Web exception |
|
---|---|---|
Processes you can exclude |
HTTPS decryption HTTPS certificate and protocol enforcement |
HTTPS decryption HTTPS certificate validation Malware and content scanning Sandstorm Web policy checks |
Applies in this mode |
DPI mode |
DPI mode Proxy mode |
Applies to this traffic |
SSL/TLS connections on any port. |
DPI mode: SSL/TLS connections on any port. Proxy mode: SSL/TLS connections on port 443. |
Matching criteria |
URL group containing a list of websites (domain names) in plaintext. Includes the subdomains of these domains. |
URL pattern matches using regular expressions. |
Web categories Source and destination zones, networks, and IP addresses Services Users and groups |
Web categories Source and destination IP addresses and IP ranges |
|
Where to add the exception |
Add domains and subdomains to the Local TLS exclusion list by troubleshooting in the control center or log viewer. Go to and add websites to a URL group being used by an exclusion rule.Create or edit SSL/TLS inspection rules. |
Add to . |
SSL/TLS inspection settings
These settings apply to all SSL/TLS inspection rules. You can specify the re-signing certificate authorities (CAs), action for traffic we don’t decrypt, and the TLS downgrade setting. Inspection settings also allow you turn off SSL/TLS inspection to troubleshoot errors.
The decryption profile that you add to an inspection rule overrides the inspection settings.
Firewall rules and web proxy
XG Firewall applies the firewall rules first and then the SSL/TLS inspection rules. It applies the inspection rules in transparent mode based on the web proxy selection you make in the firewall rule.
Transparent mode: In the firewall rule, if you’ve selected decryption and scanning by web proxy, traffic over ports 80 and 443 is decrypted by the web proxy. SSL/TLS inspection rules will then be implemented only for web traffic over other ports.
SSL/TLS inspection uses the certificates specified in SSL/TLS inspection settings and Decryption profiles.
Troubleshooting
To see if SSL/TLS connections have been exceeding the decryption limit, go to Control center and select the SSL/TLS connections widget.
To troubleshoot SSL/TLS errors, go to Control center, select the SSL/TLS connections widget, and select Fix errors in the upper-right corner.
- SSL/TLS inspection rules: Go to and turn SSL/TLS inspection on.
- SSL/TLS engine: Go to . Under , select Enabled.