SSL/TLS inspection settings
With SSL/TLS inspection settings, you can specify the default settings to enforce secure protocol versions and occurrences.
Go to SSL/TLS inspection settings.
and selectRe-signing certificate authorities
Specify the re-signing certificate authority for SSL/TLS connections intercepted by XG Firewall. The decryption profile attached to an SSL/TLS inspection rule can override these actions for the rule.Re-signing certificates must be trusted by the endpoint devices. If they aren’t, browsers will show a warning and may refuse to complete the connection.
Name |
Description |
---|---|
Re-sign RSA with |
Used when the website’s certificate was signed using RSA. You can specify an EC or RSA certificate. |
Re-sign EC with |
Used when the website’s certificate was signed using EC. You can specify an EC or RSA certificate. |
Non-decryptable traffic
Specify the action for the traffic we won't decrypt, such as insecure protocol versions and occurrences. The decryption profile attached to an SSL/TLS inspection rule can override these actions for the rule.
Name |
Description |
---|---|
SSL 2.0 and SSL 3.0 |
Allowing these connections lowers security. |
SSL compression |
Compression before encryption has known vulnerabilities. |
When SSL/TLS connections exceed limit |
Applies to excess traffic when volume exceeds the decryption capability of the firewall. To see the decryption limit, go to Control center and select the SSL/TLS connections widget. |
Select the action for the traffic we won't decrypt:
- Allow without decryption
- Drop: Drops without notifying the source.
- Reject: Drops and sends a connection reset message to the source host.
To allow these connections, create a decryption profile set to Allow without decryption. Add the profile to an SSL/TLS inspection rule with the action set to Don't decrypt.
TLS 1.3 compatibility
TLS 1.3 decryption
Select the action.
- Decrypt as 1.3
- Downgrade to TLS 1.2 and decrypt: Some servers and clients haven’t implemented TLS 1.3 yet. Select this option if you experience issues using TLS 1.3.
- Apply the TLS compatibility setting Downgrade to TLS 1.2 and decrypt specified in SSL/TLS general settings.
- Block certificate errors and apply the minimum RSA key size specified in decryption profiles.
- Apply the block action Reject and notify specified in the decryption profile. If you apply such a decryption profile to SSL/TLS inspection rules with Don't decrypt or Deny action, XG Firewall applies the block action Reject.
Advanced settings
SSL/TLS engine: Disable the engine only when you want to troubleshoot. Once you complete troubleshooting, enable it again.