Encrypted Traffic Inspection Configuration
You must create reusable public key infrastructure (PKI) objects to control encrypted traffic based on encrypted session characteristics and decrypt encrypted traffic. You can add this information on the fly when uploading trusted certificate authority (CA) certificates to the a decryption policy and creating decryption rule, creating the associated object in the process. However, configuring these objects ahead of time reduces the chance of improper object creation.
Decrypting Encrypted Traffic with Certificates and Paired Keys
The system can decrypt incoming encrypted traffic if you configure an internal certificate object by uploading the server certificate and private key used to encrypt the session. If you reference that object in a decryption policy rule with an action of Decrypt - Known Key and traffic matches that rule, the system uses the uploaded private key to decrypt the session.
The system can also decrypt outgoing traffic if you configure an internal CA object by uploading a CA certificate and private key. If you reference that object in a decryption rule with an action of Decrypt - Resign and traffic matches that rule, the system re-signs the server certificate passed to the client browser, then acts as a man-in-the-middle to decrypt the session. You can optionally replace the self-signed certificate key only and not the entire certificate, in which case users see a self-signed certificate key notice in the browser.
Controlling Traffic Based on Encrypted Session Characteristics
The system can control encrypted traffic based on the cipher suite or server certificate used to negotiate the session. You can configure one of several different reusable objects and reference the object in a decryption rule condition to match traffic. The following table describes the different types of reusable objects you can configure:
If you configure... |
You can control encrypted traffic based on whether... |
---|---|
A cipher suite list containing one or more cipher suites |
The cipher suite used to negotiate the encrypted session matches a cipher suite in the cipher suite list |
A trusted CA object by uploading a CA certificate your organization trusts |
The trusted CA trusts the server certificate used to encrypt the session, whether:
|
An external certificate object by uploading a server certificate |
The server certificate used to encrypt the session matches the uploaded server certificate |
A distinguished name object containing a certificate subject or issuer distinguished name |
The subject or issuer common name, country, organization, or organizational unit on the certificate used to encrypt the session matches the configured distinguished name |