< Home

CLI: Example for Using the SSL-encrypted Traffic Detection Function to Protect Client

You can configure SSL-encrypted traffic detection policies so that the FW decrypts SSL-encrypted traffic generated by a user to access the extranet, and configure security policies to enable the FW to check content security of decrypted traffic.

Networking Requirements

As shown in Figure 1, the FW is deployed on the network boundary as an enterprise gateway, and checks content security of traffic generated by users to access extranet HTTPS servers and SMTPS servers (mail servers).

Figure 1 Networking diagram of SSL-encrypted traffic detection for protecting a client

Configuration Roadmap

  1. Configure the SSL decryption certificate.

    The SSL decryption certificate can be imported to the FW or generated on the FW.

    • If the enterprise has a CA server that can issue CA certificates, import the CA certificate issued by the CA server to the FW.
    • If the enterprise does not have a CA server, manually generate an SSL decryption certificate on the FW.

      This section uses a manually generated SSL decryption certificate on the FW as an example.

  2. Optional: Import the CA certificate issued by the trusted certificate issue organization on the FW, so that the FW can verify certificates of the HTTPS server and SMTPS server.

    Note that over 100 common server CA certificates have been preset on the FW by default, which can be used to verify most server certificates. Generally, these default CA certificates are enough and you do not need to import other CA certificates. In some cases, however, if the preset CA certificates cannot verify the peer server certificates, you need to import other CA certificates. This section describes how to import a CA certificate as a configuration step.

  3. Configure a detection profile.
  4. Configure SSL-encrypted traffic detection policies.

    Specify a detection profile in the detection policies, and set the file type of the detection profile to Outbound. According to actual requirements, you can configure refined policies, so that the FW decrypts only traffic that really requires content security check. You must avoid proxy policies with wide configuration conditions, because traffic encryption or decryption affects the forwarding performance of the device to a certain extent.

  5. Configure a security policy.

    After the SSL-encrypted traffic detection policy is configured, you still need to configure correct security policies and reference the content security profile to check the content security of traffic.

Procedure

  1. Set interface IP addresses and assign the interfaces to security zones.

    1. Set the IP address of interface GigabitEthernet 0/0/1 and add it to the trust zone.
      <FW> system-view 
[FW] interface GigabitEthernet 0/0/1 
[FW-GigabitEthernet 0/0/1] ip address 10.1.1.1 24 
[FW-GigabitEthernet 0/0/1] quit 
[FW] firewall zone trust 
[FW-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-zone-untrust] quit
    2. Set the IP address of interface GigabitEthernet 0/0/2 and add it to the Untrust zone.
      [FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet 0/0/2] ip address 1.1.1.1 24 
[FW-GigabitEthernet 0/0/2] quit 
[FW] firewall zone untrust 
[FW-zone-trust] add interface GigabitEthernet 0/0/2
[FW-zone-trust] quit

  2. Configure the SSL decryption certificate and import the trusted certificate on the intranet PC.

    1. Create the RSA key pair for the SSL decryption certificate.
      [FW] pki rsa built-in-ca ssl-decryption-certificate create exportable 
 Info: The name of the new key-pair will be: ssl-decryption-certificate                       
 The size of the public key ranges from 2048 to 4096.                             
 Input the bits in the modules:2048                                              
 Generating key-pairs...                                                         
............................................+++                                  
...................................................+++
    2. Create a PKI entity.
      [FW] pki entity ssl-decryption-certificate 
[FW-pki-entity-ssl-decryption-certificate] common-name ssl-decryption-certificate 
[FW-pki-entity-ssl-decryption-certificate] fqdn www.example.com 
[FW-pki-entity-ssl-decryption-certificate] locality trust-Network 
[FW-pki-entity-ssl-decryption-certificate] country CN 
[FW-pki-entity-ssl-decryption-certificate] quit
    3. Generate the SSL decryption certificate and mark it as trusted.
      [FW] pki generate built-in-ca certificate rsa-key-pair ssl-decryption-certificate entity ssl-decryption-certificate 
 Please enter the file name for built in CA certificate <length 1-64>: ssl-decryption-certificate.cer 
 Info: Generate built in CA certificate successfully. 
[FW] pki import-certificate built-in-ca filename ssl-decryption-certificate.cer 
 Info: Succeeded in importing the built in CA certificate.  
[FW] app-proxy built-in-ca trust filename ssl-decryption-certificate.cer
    4. Export the trusted certificate and the corresponding key pair.
      [FW] pki export built-in-ca rsa-key-pair ssl-decryption-certificate and-certificate ssl-decryption-certificate.cer pem ssl-decryption-certificate.pem password Mypassword@123

      The password is used to protect the key file in the certificate. When you install the certificate, the system requires this password.

    5. Download the exported certificate file using FTP. Send the exported certificate file to the intranet user, and request the user to install and trust this certificate on the PC. If the certificate is not installed, normal access may be blocked.

  3. Optional: Import the CA certificate issued by a trusted organization.

    1. This section describes how to download the CA certificate to the FW storage device using the FW that functions as an FTP client as an example
      <FW> cd hda1:/pki/public/ 
<FW> ftp 10.1.1.100 
Trying 10.1.1.100... 
Press CTRL+K to abort 
Connected to 10.1.1.100. 
220 FTP service ready. 
User(10.1.1.100:(none)):ftpuser 
331 Password required for ftpuser 
Enter password: 
230 User logged in. 
[ftp] get https_server_ca.crt 
200 Port command okay. 
150 Opening ASCII mode data connection for https_server_ca.crt. 
226 Transfer complete. 
FTP: 393 byte(s) received in 8.190 second(s) .48byte(s)/sec. 
[ftp] get smtps_server_ca.crt 
200 Port command okay. 
150 Opening ASCII mode data connection for smtps_server_ca.crt. 
226 Transfer complete. 
FTP: 393 byte(s) received in 8.190 second(s) .48byte(s)/sec.[ftp] bye
    2. Import the CA certificate to the device.
      <FW> system-view 
[FW] pki import-certificate ca filename https_server_ca.crt 
[FW] pki import-certificate ca filename smtps_server_ca.crt
    3. Specify the imported CA certificate as the server CA certificate. The FW determines whether the server certificate is trusted based on the server CA certificate.
      [FW] app-proxy ca trust filename https_server_ca.crt 
[FW] app-proxy ca trust filename smtps_server_ca.crt

  4. Configure a detection profile.

    [FW] profile type decryption name profile 
[FW-profile-decryption-profile] detect type outbound 
[FW-profile-decryption-profile] undo unsupport ssl-version block 
[FW-profile-decryption-profile] undo unsupport ssl-cipher block 
[FW-profile-decryption-profile] ssl-cipher client-side high medium low 
[FW-profile-decryption-profile] quit

  5. Configure SSL-encrypted traffic detection policies.

    [FW] decryption-policy 
[FW-policy-decrytion] rule name 1 
[FW-policy-decrytion-rule-1] source-zone trust 
[FW-policy-decrytion-rule-1] destination-zone untrust 
[FW-policy-decrytion-rule-1] source-address 10.1.1.0 24 
[FW-policy-decrytion-rule-1] service https smtps 
[FW-policy-decrytion-rule-1] action decrypt profile profile 
[FW-policy-decrytion-rule-1] quit 
[FW-policy-decrytion] quit

  6. Configure a security policy to enable the system checks the content security of decrypted SSL traffic.

    1. Create a mail content filtering profile.

      In this example, a mail content filtering profile needs to be configured to filter traffic of a user who accesses the mail server.

      [FW] profile type mail-filter name mail_filter 
[FW-profile-mail-filter-mail_filter] send-mail anonymity action allow 
[FW-profile-mail-filter-mail_filter] recv-mail anonymity action allow 
[FW-profile-mail-filter-mail_filter] send-mail attachment max-amount enable 
[FW-profile-mail-filter-mail_filter] recv-mail attachment max-amount enable 
[FW-profile-mail-filter-mail_filter] send-mail attachment max-size enable 
[FW-profile-mail-filter-mail_filter] recv-mail attachment max-size enable 
[FW-profile-mail-filter-mail_filter] send-mail sender filter-mode block 
[FW-profile-mail-filter-mail_filter] send-mail receiver filter-mode block 
[FW-profile-mail-filter-mail_filter] recv-mail sender filter-mode block 
[FW-profile-mail-filter-mail_filter] recv-mail receiver filter-mode block
    2. Configure a security policy.
      [FW] security-policy 
[FW-policy-security] rule name policy1 
[FW-policy-security-rule-policy1] source-zone trust 
[FW-policy-security-rule-policy1] destination-zone untrust 
[FW-policy-security-rule-policy1] source-address 10.1.1.0 24 
[FW-policy-security-rule-policy1] service https smtps 
[FW-policy-security-rule-policy1] profile av default 
[FW-policy-security-rule-policy1] profile ips default 
[FW-policy-security-rule-policy1] profile mail-filter mail_filter 
[FW-policy-security-rule-policy1] action permit 
[FW-policy-security-rule-policy1] quit 
[FW-policy-security] quit
    • This example provides only the security policy configuration for mail filtering on the SMTPS server. To filter mails on the POP3S or IMAPS server, you need to configure POP3S and IMAPS in the service matching items of the security policy.
    • In this example, antivirus, IPS, and mail filtering items are selected for content security check. Default security profiles of antivirus and IPS are used. You can configure or select multiple security profiles based on actual situations.

Verification

  1. When an intranet user accesses the extranet HTTPS server or SMTPS server, the traffic matches the SSL-encrypted traffic detection policy. If the decrypted traffic passes the content security check, the traffic is released. If the decrypted traffic does not pass the content security check, the traffic is blocked.
  2. On the FW, view the SSL proxy session table. The SSL connection used by the intranet user to access the extranet server is processed by the proxy.
    <FW> display app-proxy session table 
 Vsys: 0 10.1.1.1:3449--->2.2.2.2:443 Left:00:00:05 Type:Outbound Age:1 
      down:0000  -->bytes: 314 <--bytes: 1016 
 
 Vsys: 0 10.1.1.1:3450--->2.2.2.2:443 Left:00:00:05 Type:Outbound Age:1 
   down:0000  -->bytes: 124 <--bytes: 0 
 
 Vsys: 0 10.1.1.1:3448--->2.2.2.2:443 Left:00:00:05 Type:Outbound Age:1 
      down:0000  -->bytes: 628 <--bytes: 1067

Configuration Scripts

#  
 pki rsa built-in-ca ssl-server-ca create exportable 
 pki entity ssl-server-ca 
  common-name ssl-server-ca 
  fqdn www.example.com 
  locality trust-Network 
  country CN 
# 
 pki generate built-in-ca certificate rsa-key-pair built-in-ca ssl-server-ca entity built-in-ca ssl-server-ca 
 pki import-certificate built-in-ca filename built-in-ca ssl-server-ca.cer 
 app-proxy built-in-ca trust filename built-in-ca ssl-server-ca.cer 
# 
 pki export built-in-ca rsa-key-pair built-in-ca ssl-server-ca and-certificate built-in-ca ssl-server-ca.cer pem built-in-ca ssl-server-ca.pem password Mypassword@123 
# 
 app-proxy ca trust filename https_server_ca.crt 
 app-proxy ca trust filename smtps_server_ca.crt 
#                             
interface GigabitEthernet 0/0/1        
 undo shutdown 
 ip address 10.1.1.1 255.255.255.0 
#                             
interface GigabitEthernet 0/0/2        
 undo shutdown 
 ip address 1.1.1.1 255.255.255.0 
#                                             
firewall zone trust 
 add interface GigabitEthernet 0/0/1
# 
firewall zone untrust      
 add interface GigabitEthernet 0/0/2
#  
 profile type decryption name profile 
  detect type outbound 
  undo unsupport ssl-version block 
  undo unsupport ssl-cipher block 
# 
 decryption-policy 
  rule name 1 
   source-zone trust 
   destination-zone untrust 
   source-address 10.1.1.0 24 
   service https smtps 
   action decrypt profile profile 
# 
 profile type mail-filter name mail-filter 
  rbl-filter enable 
  profile type mail-filter name mail_filter 
  send-mail anonymity action allow 
  recv-mail anonymity action allow 
  send-mail attachment max-amount enable 
  recv-mail attachment max-amount enable 
  send-mail attachment max-size enable 
  recv-mail attachment max-size enable 
  send-mail sender filter-mode block 
  send-mail receiver filter-mode block 
  recv-mail sender filter-mode block 
  recv-mail receiver filter-mode block 
# 
 security-policy 
  rule name policy1 
   source-zone trust 
   destination-zone untrust 
   source-address 10.1.1.0 24 
   service https 
   service smtps 
   profile av default 
   profile ips default 
   profile mail-filter mail_filter 
   action permit
Parent Topic: Client Protection Through SSL-Encrypted Traffic Detection
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >