Add a decryption profile
Decryption profiles enable you to enforce decryption settings on SSL/TLS connections.
- Go to Profiles > Decryption profiles and click Add.
- Enter a name.
- Optional Add a description.
-
Specify the re-signing certificate authority for SSL/TLS connections intercepted by
XG Firewall.
Re-signing certificates must be trusted by the endpoint devices. If they aren’t, browsers will show a warning and may refuse to complete the connection.
Tip Under most circumstances, this requires the installation of copies of the certificates in the browsers or the operating system certificate stores of the endpoint devices. Alternatively, you can create and use signing certificates that are subordinate to an existing trusted enterprise CA for your organization. It isn’t possible to obtain signing certificates from CAs that are already trusted by operating systems or browsers.Most certificate authorities use certificates with either RSA or Elliptic Curve (EC) encryption keys. In most situations, certificates of one type can be signed by certificate authorities of the other, allowing you to use the same CA for both. If you encounter problems with applications that expect certificates of only one type, you can add an EC key and use it for re-signing certificates that were originally signed by an EC-based authority. If you add a second CA, ensure that it is trusted by all endpoint devices.Name Description Use CAs defined in SSL/TLS settings
Uses the certificate authority specified in SSL/TLS inspection settings.
Re-sign RSA with
Used when the website’s certificate was signed using RSA.
You can specify an EC or RSA certificate.
Re-sign EC with
Used when the website’s certificate was signed using EC.
You can specify an EC or RSA certificate.
-
Specify the action for non-decryptable traffic, such as insecure protocol versions, occurrences,
and cipher suites.
Name Description SSL 2.0 and SSL 3.0
Allowing these connections lowers security.
SSL compression
Compression before encryption has known vulnerabilities.
When SSL/TLS connections exceed limit
Applies to excess traffic when volume exceeds the decryption capability of the firewall.
To see the decryption limit, go to Control center and select the SSL/TLS connections widget.
Unrecognized cipher suites
Firewalls can’t decrypt traffic using unrecognized cipher suites. Using unrecognized cipher suites lowers security.
Action for non-decrytable traffic:
- Use SSL/TLS settings default: Applies the action specified in SSL/TLS inspection settings. This option doesn’t apply to unrecognized cipher suites.
- Allow without decryption
- Drop: Drops without notifying the source.
- Reject: Drops and sends a connection reset message to the source host.
Note XG Firewall rejects connections using SSL 2.0 and 3.0, SSL compression, and Unrecognized cipher suites if you set the action to Decrypt in SSL/TLS inspection rules.To allow these connections, create a decryption profile set to Allow without decryption. Add the profile to an SSL/TLS inspection rule with the action set to Don't decrypt.
-
Specify the certificate, protocol, and cipher enforcement details.
Name Description Certificate errors to block
Select the certificate errors. XG Firewall blocks connections that have the specified errors.
- Invalid date
- Self-signed
- Untrusted user
- Revoked
- Name mismatch: Checks that the server name requested in the Client Hello matches the domain names represented by the certificate.
- Invalid for other reasons
If you created an exception for HTTPS decryption in Web > Exceptions, XG Firewall allows traffic with invalid certificates if the traffic matches the exception criteria.
Minimum RSA key size
Select a minimum key length.
Keys less than 2048 bits are no longer considered secure. Allow them only if it's necessary to ensure compatibility with older servers that can't be upgraded.
Minimum SSL/TLS version
Select the minimum protocol version to allow.
Versions earlier than TLS 1.2 are no longer considered secure. Allow them only if it's necessary to ensure compatibility.
Maximum SSL/TLS version Select the maximum protocol version to enforce.
To implement the latest available version, select Maximum supported. When a later protocol version becomes available, XG Firewall will implement that version automatically.
Cipher algorithms to block
Select the key exchange, authentication mechanism, bulk ciphers, and hash algorithms to block.
Block action
Select the action to apply.
- Drop: Drops without notifying the source.
- Reject: Drops and sends a connection reset message to the source host.
- Reject and notify: Establishes the connection but prevents any data transfer with the server. For HTTPS connections, attempts to display a block page with the error reason to the user.
For TLS 1.3 connections, you need to set the action to Decrypt in SSL/TLS inspection rules to do the following:- Block certificate errors and apply the minimum RSA key size specified in decryption profiles.
- Apply the block action Reject and notify specified in the decryption profile. If you apply such a decryption profile to SSL/TLS inspection rules with Don't decrypt or Deny action, XG Firewall applies the block action Reject.
- Click Save.