Add an SSL/TLS inspection rule

You can specify policy-driven inspection rules to establish inbound and outbound SSL and TLS connections over TCP between clients and web servers and decrypt the traffic.

SSL/TLS inspection detects SSL/TLS traffic on any TCP port. Inspection rules apply to detected SSL/TLS connections. You can specify rules to decrypt traffic based on the source, destination, users and groups, services, websites, and web categories. To take effect, the rule must find a match in all criteria.

You can also add decryption profiles to enforce secure connections.

  1. Go to Rules and policies > SSL/TLS inspection rules and click Add.
  2. Enter the general details.

    Name

    Description

    Rule name

    Type a name.

    Rule position

    Specify the position of the rule in the rule table:

    • Top
    • Bottom

    XG Firewall evaluates rules from the top down until it finds a match. Once it finds a match for the packet, it doesn’t evaluate subsequent rules. To change the order of the rules later, you can drag and drop the rule in the rule table.

    Action

    Select the action:

    • Decrypt: Establishes connection and decrypts
    • Don't decrypt: Establishes the connection and doesn’t decrypt. Use this to create an exclusion rule.

      Decryption profile restrictions also apply to rules with action set to Don't decrypt.

    • Deny: Doesn’t establish connection
    For TLS 1.3 connections, you need to set the action to Decrypt in SSL/TLS inspection rules to do the following:
    • Apply the TLS compatibility setting Downgrade to TLS 1.2 and decrypt specified in SSL/TLS general settings.
    • Block certificate errors and apply the minimum RSA key size specified in decryption profiles.
    • Apply the block action Reject and notify specified in the decryption profile. If you apply such a decryption profile to SSL/TLS inspection rules with Don't decrypt or Deny action, XG Firewall applies the block action Reject.

    Log connections

    Select to log the connections.

    Decryption profile

    Select a decryption profile or create one. You can't edit the default profiles.

    Decryption profiles override the default SSL/TLS general settings for the re-signing CA and action for traffic we can't decrypt. They allow you to specify a policy-driven action for the rule.

    Note XG Firewall rejects connections using SSL 2.0 and 3.0, SSL compression, and Unrecognized cipher suites if you set the action to Decrypt in SSL/TLS inspection rules.

    To allow these connections, create a decryption profile set to Allow without decryption. Add the profile to an SSL/TLS inspection rule with the action set to Don't decrypt.

  3. Select the source matching criteria.
    NameDescription

    Source zones

    Select the zones from which traffic originates.

    You can select only internal zones, since SSL/TLS inspection rules apply only to outbound traffic.

    Source networks and devices

    Select the source networks and devices or create new ones.

    Users or groups

    Select the source users and groups. The rule will then apply only to traffic originating from the specified users.

  4. Select the destination and service matching criteria.

    Name

    Description

    Destination zones

    Select the destination zones of traffic.

    Destination networks

    Select the destination networks or create new ones.

    Services

    Select the services or create a new service. A service is a combination of protocols and ports.

    SSL/TLS connections aren’t enforced over UDP.

  5. Specify the settings for websites and web categories.

    Name

    Description

    Categories and websites

    Select the web categories and websites.

    To add an individual website, go to Web > URL groups or Categories and add the website to an existing or new object. You can then select the object in the SSL/TLS inspection rule.

    XG Firewall identifies web categories and websites based on the SNI (Server Name Indication) in the SSL/TLS handshake.
    Note XG Firewall enforces SSL/TLS inspection rules and the URL groups you specify if you have a Base License. You can configure web categories, but can't enforce them without a Web Protection license.
  6. Click Save.