Add an SSL/TLS inspection rule
You can specify policy-driven inspection rules to establish inbound and outbound SSL and TLS connections over TCP between clients and web servers and decrypt the traffic.
You can also add decryption profiles to enforce secure connections.
- Go to Rules and policies > SSL/TLS inspection rules and click Add.
-
Enter the general details.
Name
Description
Rule name
Type a name.
Rule position
Specify the position of the rule in the rule table:
- Top
- Bottom
XG Firewall evaluates rules from the top down until it finds a match. Once it finds a match for the packet, it doesn’t evaluate subsequent rules. To change the order of the rules later, you can drag and drop the rule in the rule table.
Action
Select the action:
- Decrypt: Establishes connection and decrypts.
- Don't decrypt:
Establishes the connection and doesn’t decrypt. Use this to create an exclusion
rule.
Decryption profile restrictions also apply to rules with action set to Don't decrypt.
- Deny: Doesn’t establish connection.
For TLS 1.3 connections, you need to set the action to Decrypt in SSL/TLS inspection rules to do the following:- Apply the TLS compatibility setting Downgrade to TLS 1.2 and decrypt specified in SSL/TLS general settings.
- Block certificate errors and apply the minimum RSA key size specified in decryption profiles.
- Apply the block action Reject and notify specified in the decryption profile. If you apply such a decryption profile to SSL/TLS inspection rules with Don't decrypt or Deny action, XG Firewall applies the block action Reject.
Log connections
Select to log the connections. Decryption profile
Select a decryption profile or create one. You can't edit the default profiles.
Decryption profiles override the default SSL/TLS general settings for the re-signing CA and action for traffic we can't decrypt. They allow you to specify a policy-driven action for the rule.
Note XG Firewall rejects connections using SSL 2.0 and 3.0, SSL compression, and Unrecognized cipher suites if you set the action to Decrypt in SSL/TLS inspection rules.To allow these connections, create a decryption profile set to Allow without decryption. Add the profile to an SSL/TLS inspection rule with the action set to Don't decrypt.
-
Select the source matching criteria.
Name Description Source zones
Select the zones from which traffic originates.
You can select only internal zones, since SSL/TLS inspection rules apply only to outbound traffic.
Source networks and devices
Select the source networks and devices or create new ones.
Users or groups
Select the source users and groups. The rule will then apply only to traffic originating from the specified users.
-
Select the destination and service matching criteria.
Name
Description
Destination zones
Select the destination zones of traffic.
Destination networks
Select the destination networks or create new ones.
Services
Select the services or create a new service. A service is a combination of protocols and ports.
SSL/TLS connections aren’t enforced over UDP.
-
Specify the settings for websites and web categories.
Name
Description
Categories and websites
Select the web categories and websites.
To add an individual website, go to Web > URL groups or Categories and add the website to an existing or new object. You can then select the object in the SSL/TLS inspection rule.
XG Firewall identifies web categories and websites based on the SNI (Server Name Indication) in the SSL/TLS handshake.Note XG Firewall enforces SSL/TLS inspection rules and the URL groups you specify if you have a Base License. You can configure web categories, but can't enforce them without a Web Protection license. - Click Save.