Decrypt and Resign (Outgoing Traffic)

The Decrypt - Resign decryption rule action enables the system to act as a man in the middle, intercepting, decrypting, and (if the traffic is allowed to pass) inspecting and re-encrypting it. The Decrypt - Resign rule action is used with outgoing traffic; that is, the destination server is outside your protected network.

The threat defense device negotiates with the client using an internal Certificate Authority (CA) object specified in the rule and builds a TLS/SSL tunnel between the client and the threat defense device. At the same time, the device connects to the destination web site and creates an SSL tunnel between the server and the threat defense device.

Thus, the client sees the CA certificate configured for the decryption rule instead of the certificate from the destination server. The client must trust the firewall's certificate to complete the connection. The threat defense device then performs decryption/re-encryption in both directions for traffic between the client and the destination server.

Prerequisite

To use the Decrypt - Resign rule action, you must create an internal CA object using a CA file and paired private key file. You can generate a CA and private key in the system if you don't already have them.