Add an SSL/TLS inspection rule

You can specify policy-driven inspection rules to establish inbound and outbound SSL and TLS connections over TCP between clients and web servers and decrypt the traffic.

1. Go to Rules and policies > SSL/TLS inspection rules and click Add.
2. Enter the general details.

   Name	Description
   Rule name	Type a name.
   Rule position	Specify the position of the rule in the rule table: Top Bottom XG Firewall evaluates rules from the top down until it finds a match. Once it finds a match for the packet, it doesn’t evaluate subsequent rules. To change the order of the rules later, you can drag and drop the rule in the rule table.
   Action	Select the action: Decrypt: Establishes connection and decrypts. Don't decrypt: Establishes the connection and doesn’t decrypt. Use this to create an exclusion rule. Decryption profile restrictions also apply to rules with action set to Don't decrypt. Deny: Doesn’t establish connection. For TLS 1.3 connections, you need to set the action to Decrypt in SSL/TLS inspection rules to do the following: Apply the TLS compatibility setting Downgrade to TLS 1.2 and decrypt specified in SSL/TLS general settings. Block certificate errors and apply the minimum RSA key size specified in decryption profiles. Apply the block action Reject and notify specified in the decryption profile. If you apply such a decryption profile to SSL/TLS inspection rules with Don't decrypt or Deny action, XG Firewall applies the block action Reject.
   Log connections	Select to log the connections.
   Decryption profile	Select a decryption profile or create one. You can't edit the default profiles. Decryption profiles override the default SSL/TLS general settings for the re-signing CA and action for traffic we can't decrypt. They allow you to specify a policy-driven action for the rule.

   Note XG Firewall rejects connections using SSL 2.0 and 3.0, SSL compression, and Unrecognized cipher suites if you set the action to Decrypt in SSL/TLS inspection rules.

   To allow these connections, create a decryption profile set to Allow without decryption. Add the profile to an SSL/TLS inspection rule with the action set to Don't decrypt.

3. Select the source matching criteria.

   Name	Description
   Source zones	Select the zones from which traffic originates. You can select only internal zones, since SSL/TLS inspection rules apply only to outbound traffic.
   Source networks and devices	Select the source networks and devices or create new ones.
   Users or groups	Select the source users and groups. The rule will then apply only to traffic originating from the specified users.

4. Select the destination and service matching criteria.

   Name	Description
   Destination zones	Select the destination zones of traffic.
   Destination networks	Select the destination networks or create new ones.
   Services	Select the services or create a new service. A service is a combination of protocols and ports. SSL/TLS connections aren’t enforced over UDP.

5. Specify the settings for websites and web categories.

   Name	Description
   Categories and websites	Select the web categories and websites. To add an individual website, go to Web > URL groups or Categories and add the website to an existing or new object. You can then select the object in the SSL/TLS inspection rule. XG Firewall identifies web categories and websites based on the SNI (Server Name Indication) in the SSL/TLS handshake.

   Note XG Firewall enforces SSL/TLS inspection rules and the URL groups you specify if you have a Base License. You can configure web categories, but can't enforce them without a Web Protection license.
6. Click Save.