CLI: Example for Using the SSL-encrypted Traffic Detection Function to Protect Servers
You can configure SSL-encrypted traffic detection policies so that the FW decrypts SSL-encrypted traffic generated by an extranet user to access an intranet server, and configure security policies to enable the FW to check content security of decrypted traffic.
Networking Requirements
As shown in Figure 1, the FW is deployed on the network boundary as an enterprise gateway, and checks content security of traffic generated by extranet users to access intranet HTTPS servers and SMTPS servers (mail servers).
Configuration Roadmap
- Import the server certificate and private key.
You need to obtain server certificates and private keys of the HTTPS Server and SMTPS Server in this example from the server administrator.
- Configure a detection profile.
Set the file type of the detection profile to Inbound.
- Configure SSL-encrypted traffic detection policies.
According to actual requirements, you can configure refined SSL-encrypted traffic detection policies, so that the FW decrypts only traffic that really requires content security check. You must avoid policies with wide configuration conditions, because traffic encryption or decryption affects the forwarding performance of the device to a certain extent.
- Configure a security policy.
Configure correct security policies and set the security policies to reference the content security profile, so that the system can check the content security of decrypted traffic.
Procedure
- Set interface IP addresses and assign the interfaces to security zones.
- Set the IP address of interface GigabitEthernet 0/0/1 and add it to the Untrust zone.
<FW> system-view [FW] interface GigabitEthernet 0/0/1 [FW-GigabitEthernet 0/0/1] ip address 1.1.1.1 24 [FW-GigabitEthernet 0/0/1] quit [FW] firewall zone untrust [FW-zone-untrust] add interface GigabitEthernet 0/0/1 [FW-zone-untrust] quit
- Set the IP address of interface GigabitEthernet 0/0/2 and add it to the Trust zone.
[FW] interface GigabitEthernet 0/0/2 [FW-GigabitEthernet 0/0/2] ip address 10.1.1.1 24 [FW-GigabitEthernet 0/0/2] quit [FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 0/0/2 [FW-zone-trust] quit
- Set the IP address of interface GigabitEthernet 0/0/1 and add it to the Untrust zone.
- Configure the server certificate and private key.
- Upload server certificates and private keys of the HTTPS Server and SMTPS Server.
The private key of the server certificate may be independent or packaged with the server certificate. If the private key is an independent file, you need to upload the private key file besides the server certificate file. In this example, the private key and server certificate are packaged in a file. After this file is uploaded to the device, the server certificate and private key are uploaded to the device together.
<FW> cd hda1:/pki/public/ <FW> ftp 10.1.1.100 Trying 10.1.1.100... Press CTRL+K to abort Connected to 10.1.1.100. 220 FTP service ready. User(10.1.1.100:(none)):ftpuser 331 Password required for ftpuser Enter password: 230 User logged in. [ftp] get https_server.p12 200 Port command successful. 150 Opening data connection for https_server.p12. 226 File sent ok FTP: 1778 byte(s) received in 0.621 second(s) 2.86Kbyte(s)/sec. [ftp] get smtps_server.p12 200 Port command successful. 150 Opening data connection for smtps_server.p12. 226 File sent ok FTP: 1778 byte(s) received in 0.621 second(s) 2.86Kbyte(s)/sec. [ftp] bye
- Save the HTTPS Server certificate, SMTPS Server certificate, and private key to the FW memory.
The private key is a confidential file and a password is required when you export it. The password indicates the one used to encrypt the private key file. You can obtain passwords of the encryption private key files from the corresponding server administrator.
[FW] pki import rsa-key-pair https_server pkcs12 https_server.p12 password 123456 Info: Succeeded in importing the RSA key pair in PKCS12 format. [FW] pki import rsa-key-pair smtps_server pkcs12 smtps_server.p12 password 123456 Info: Succeeded in importing the RSA key pair in PKCS12 format.
- Specify the imported server certificate as the internal server certificate.
[FW] app-proxy server certificate filename https_server_local.cer [FW] app-proxy server certificate filename smtps_server_local.cer
- Upload server certificates and private keys of the HTTPS Server and SMTPS Server.
- Configure a detection profile.
[FW] profile type decryption name profile [FW-profile-decryption-profile] detect type inbound [FW-profile-decryption-profile] undo unsupport ssl-version block [FW-profile-decryption-profile] undo unsupport ssl-cipher block [FW-profile-decryption-profile] quit
- Configure SSL-encrypted traffic detection policies.
[FW] decryption-policy [FW-policy-decryption] rule name 1 [FW-policy-decryption-rule-1] source-zone untrust [FW-policy-decryption-rule-1] destination-zone trust [FW-policy-decryption-rule-1] destination-address 10.1.1.0 24 [FW-policy-decryption-rule-1] service https smtps [FW-policy-decryption-rule-1] action decrypt profile profile [FW-policy-decryption-rule-1] quit [FW-policy-decryption] quit
- Configure a security policy to enable the system checks the content security of decrypted SSL traffic.
- Create a mail content filtering profile.
In this example, a mail content filtering profile needs to be configured to filter traffic of a user who accesses the mail server.
[FW] profile type mail-filter name mail_filter [FW-profile-mail-filter-mail_filter] send-mail anonymity action allow [FW-profile-mail-filter-mail_filter] recv-mail anonymity action allow [FW-profile-mail-filter-mail_filter] send-mail attachment max-amount enable [FW-profile-mail-filter-mail_filter] recv-mail attachment max-amount enable [FW-profile-mail-filter-mail_filter] send-mail attachment max-size enable [FW-profile-mail-filter-mail_filter] recv-mail attachment max-size enable [FW-profile-mail-filter-mail_filter] send-mail sender filter-mode block [FW-profile-mail-filter-mail_filter] send-mail receiver filter-mode block [FW-profile-mail-filter-mail_filter] recv-mail sender filter-mode block [FW-profile-mail-filter-mail_filter] recv-mail receiver filter-mode block
- Configure a security policy.
[FW] security-policy [FW-policy-security] rule name policy1 [FW-policy-security-rule-policy1] source-zone untrust [FW-policy-security-rule-policy1] destination-zone trust [FW-policy-security-rule-policy1] destination-address 10.1.1.0 24 [FW-policy-security-rule-policy1] service https smtps [FW-policy-security-rule-policy1] profile av default [FW-policy-security-rule-policy1] profile ips default [FW-policy-security-rule-policy1] profile mail-filter mail_filter [FW-policy-security-rule-policy1] action permit [FW-policy-security-rule-policy1] quit [FW-policy-security] quit
- This example provides only the security policy configuration for mail filtering on the SMTPS server. To filter mails on the POP3S or IMAPS server, you need to configure POP3S and IMAPS in the service matching items of the security policy.
- In this example, antivirus, IPS, and mail filtering items are selected for content security check. Default security profiles of antivirus and IPS are used. You can configure or select multiple security profiles based on actual situations.
- Create a mail content filtering profile.
Verification
- When an extranet user accesses the intranet HTTPS server or SMTPS server, the traffic matches the SSL-encrypted traffic detection policy. If the decrypted traffic passes the content security check, the traffic is released. If the decrypted traffic does not pass the content security check, the traffic is blocked.
- On the FW, check the SSL proxy session table. If entries are generated, the SSL connection for the extranet user to access the intranet server is processed by the proxy.
<FW> display app-proxy session table Vsys: 0 2.2.2.2:3449--->10.1.1.1:443 Left:00:00:05 Type:Inbound Age:1 down:0000 -->bytes: 314 <--bytes: 1016 Vsys: 0 2.2.2.2:3450--->10.1.1.1:443 Left:00:00:05 Type:Inbound Age:1 down:0000 -->bytes: 124 <--bytes: 0 Vsys: 0 2.2.2.2:3448--->10.1.1.1:443 Left:00:00:05 Type:Inbound Age:1 down:0000 -->bytes: 628 <--bytes: 1067
Configuration Scripts
# app-proxy server certificate filename https_server_local.cer app-proxy server certificate filename smtps_server_local.cer # firewall zone trust add interface GigabitEthernet 0/0/2 # firewall zone untrust add interface GigabitEthernet 0/0/1 # profile type decryption name profile detect type inbound undo unsupport ssl-version block undo unsupport ssl-cipher block # decryption-policy rule name 1 source-zone untrust destination-zone trust destination-address 10.1.1.0 24 service https smtps action decrypt profile profile # profile type mail-filter name mail-filter rbl-filter enable profile type mail-filter name mail_filter send-mail anonymity action allow recv-mail anonymity action allow send-mail attachment max-amount enable recv-mail attachment max-amount enable send-mail attachment max-size enable recv-mail attachment max-size enable send-mail sender filter-mode block send-mail receiver filter-mode block recv-mail sender filter-mode block recv-mail receiver filter-mode block # security-policy rule name policy1 source-zone untrust destination-zone trust destination-address 10.1.1.0 24 service https service smtps profile av default profile ips default profile mail-filter mail_filter action permit