< Home

Web: Example for SSL Decryption-exempted

You can configure the SSL-encrypted traffic detection policies to exempt the decryption of SSL-encrypted traffic between a user and a server, so that the FW performs only simple control and management on the SSL connection between a client and a server.

Networking Requirements

In Figure 1, the FW is deployed at the network border as an enterprise gateway and checks content security of traffic generated when intranet users access extranet HTTPS server and SMTPS server (mail server). It does not perform SSL decryption on intranet users' access to the sensitive information website www.example.com, and only performs simple certificate consistency check on SSL connections.

Figure 1 Networking diagram for SSL decryption-exempted

Configuration Roadmap

In this scenario, SSL decryption is performed only for some traffic. Therefore, two SSL-encrypted traffic detection policies and two detection profiles need to be configured. If multiple detection policies are configured, the FW matches traffic against the detection policies based on the policy priorities. In non-decryption scenarios, the destination address is specified, so the detection policy and detection profile for non-decryption have higher priorities and need to be configured first.

If SSL decryption is not performed on intranet users' access to the sensitive information website , the configuration roadmap is as follows:

  1. Optional: Import the CA certificate issued by the trusted certificate issue organization on the FW, so that the FW can verify validity of the certificate.

    Note that over 100 common server CA certificates have been preset on the FW by default, which can be used to verify most server certificates. Generally, these default CA certificates are enough and you do not need to import other CA certificates. In some cases, however, if the preset CA certificates cannot verify the peer server certificates, you need to import other CA certificates. This section describes how to import a CA certificate as a configuration step.

  1. Configure a detection profile.

    If SSL-encrypted traffic accessing www.example.com does not need to be decrypted, the FW determines whether the SSL connection between the client and the server can be established based on the server certificate verification result and result of matching between SNI and SAN/CN. This example assumes that it is allowed to establish an SSL connection between the server and client.

  2. Configure an SSL-encrypted traffic detection policy to ensure that the SSL-encrypted traffic accessing www.example.com is not decrypted.

If SSL decryption and content security check need to be performed for the traffic generated when intranet users access extranet HTTPS server and SMTPS server (mail server), the configuration roadmap is as follows:

  1. Configure the SSL decryption certificate.

    The SSL decryption certificate can be imported to the FW or generated on the FW.

    • If the enterprise has a CA server that can issue CA certificates, import the CA certificate issued by the CA server to the FW.If the enterprise does not have a CA server, manually generate an SSL decryption certificate on the FW.

      This section uses a manually generated SSL decryption certificate on the FW as an example.

  2. Optional: Import the CA certificate issued by the trusted certificate issue organization on the FW, so that the FW can verify certificates of the HTTPS server and SMTPS server.
  3. Configure a detection profile.
  4. Configure SSL-encrypted traffic detection policies.

    Specify a detection profile in the detection policies, and set the file type of the detection profile to Outbound. According to actual requirements, you can configure refined policies, so that the FW decrypts only traffic that really requires content security check. You must avoid proxy policies with wide configuration conditions, because traffic encryption or decryption affects the forwarding performance of the device to a certain extent.

  5. Configure a security policy to enable the system checks the content security of decrypted SSL traffic.

    After the SSL-encrypted traffic detection policy is configured, you still need to configure correct security policies and reference the content security profile to check the content security of traffic.

Procedure

  1. Set interface IP addresses and assign the interfaces to security zones.

    1. Choose Network > Interface.
    2. Click of GigabitEthernet 0/0/1 and set the parameters as follows:

      Zone:

      trust

      IPv4

      IP Address

      10.1.1.1/24
    3. Click OK.
    4. Repeat the preceding steps to configure interface GigabitEthernet 0/0/2.

      Zone

      untrust

      IPv4

      IP Address

      1.1.1.1/24

  2. Configure the SSL decryption certificate and import the trusted certificate on the intranet PC.

    1. Choose Object > Certificates > SSL Decryption Certificate.

    2. Click Add to configure a trusted SSL decryption certificate.

    3. Click OK.
    4. Click in the line where the trusted certificate is located to download the SSL decryption certificate to the local PC.

      The password is used to protect the key file in the certificate. When you install the certificate, the system requires this password.

    5. Send the exported certificate file to the intranet users, and ask the users to install and trust this certificate on their PCs. If the certificate is not installed, normal access may be blocked.

  3. Import the CA certificate issued by a trusted organization.

    1. Choose Object > Certificates > CA Certificates.

    2. Click Upload to import the CA certificate of the HTTP server.

    3. Click OK.
    4. Repeat the preceding steps to import the CA certificate of the SMTPS server.
    5. Repeat the preceding steps to import the CA certificate of the www.example.com server.

  4. Specify the imported CA certificate as the server CA certificate. The FW determines whether the server certificate is trusted based on the server CA certificate.

    1. Choose Object > Certificates > SSL Decryption Certificate, and select the Server CA Certificate tab.

    2. Click Add and select the imported CA certificate.
    3. Click OK.

  5. Configure the detection profile and detection policy for SSL-encrypted traffic that accesses www.example.com and does not need to be decrypted.

    1. Create a detection profile.
      1. Choose Policy > Encrypted Traffic Detection > Detection Profile.

      2. Click Add, and configure detection profile parameters, as shown in the following figure.

      3. Click OK.
    2. Create an SSL-encrypted traffic detection policy.
      1. Choose Policy > Encrypted Traffic Detection > Detection Policy.

      2. Click Add, and set the SSL-encrypted traffic detection policy to reference the new detection profile.

      3. Click OK.

  6. Configure the detection profile and detection policy for SSL-encrypted traffic that accesses the HTTPS server and SMTPS server and needs to be decrypted.

    1. Create a detection profile.
      1. Choose Policy > Encrypted Traffic Detection > Detection Profile.

      2. Click Add, and configure detection profile parameters, as shown in the following figure.

      3. Click OK.
    2. Configure an SSL-encrypted traffic detection policy.
      1. Choose Policy > Encrypted Traffic Detection > Detection Policy.

      2. Click Add, and set the SSL-encrypted traffic detection policy to reference the new detection profile.

      3. Click OK.

  7. Configure a security policy to enable the system to check the content security of decrypted SSL traffic.

    1. Create a mail content filtering profile.

      In this example, a mail content filtering profile needs to be configured to filter traffic of a user who accesses the mail server.

      1. Choose Object > Security Profiles > Mail Filtering.

      2. Select the Mail Content Filtering tab.
      3. Click Add to create a mail content filtering profile.

      4. Click OK.
    2. Configure a security policy.
      1. Choose Policy > Security Policy > Security Policy.
      2. Click Add Security Policy and configure the security policy.

        In this example, antivirus, IPS, and mail filtering items are selected for content security check. Default security profiles of antivirus and IPS are used. You can configure or select multiple security profiles based on actual situations.

      3. Click OK.

Verification

The SSL-encrypted traffic detection policy is matched when intranet users access extranet HTTPS server and SMTPS server. If the decrypted traffic passes the content security check, the access is allowed. If the decrypted traffic does not pass the content security check, the access is blocked. Intranet users can properly access www.example.com.

Configuration Scripts

#  
 pki rsa built-in-ca ssl-server-ca create exportable 
 pki entity ssl-server-ca 
  common-name ssl-server-ca 
  locality trust-Network 
  country CN 
# 
 pki generate built-in-ca certificate rsa-key-pair ssl-decryption-certificate entity ssl-decryption-certificate 
 pki import-certificate built-in-ca filename ssl-decryption-certificate.cer 
 app-proxy built-in-ca trust filename ssl-decryption-certificate.cer 
# 
 pki export built-in-ca rsa-key-pair ssl-server-ca and-certificate ssl-server-ca.cer pem ssl-server-ca.pem password Mypassword@123 
# 
 pki import-certificate ca der filename https_server_ca.crt 
 pki import-certificate ca der filename smtps_server_ca.crt 
 pki import-certificate ca der filename example_server_ca.crt 
# 
 app-proxy ca trust filename https_server_ca.crt 
 app-proxy ca trust filename smtps_server_ca.crt 
 app-proxy ca trust filename example_server_ca.crt 
#                             
interface GigabitEthernet 0/0/1        
 undo shutdown 
 ip address 10.1.1.1 255.255.255.0 
#                             
interface GigabitEthernet 0/0/2        
 undo shutdown 
 ip address 1.1.1.1 255.255.255.0 
#     
firewall zone trust 
 add interface GigabitEthernet 0/0/1 
# 
firewall zone untrust      
 add interface GigabitEthernet 0/0/2 
#                        
 profile type mail-filter name mail-filter 
  undo rbl-filter enable 
  send-mail anonymity action allow 
  recv-mail anonymity action allow 
  send-mail attachment max-amount enable 
  send-mail attachment max-amount 10 action alert 
  recv-mail attachment max-amount enable 
  recv-mail attachment max-amount 10 action alert 
  send-mail attachment max-size enable 
  send-mail attachment max-size 20480 action alert 
  recv-mail attachment max-size enable 
  recv-mail attachment max-size 20480 action alert 
  send-mail sender filter-mode block 
  send-mail receiver filter-mode block 
  recv-mail sender filter-mode block 
  recv-mail receiver filter-mode block 

# 
 decryption-policy 
  rule name decrption_policy 
   source-zone trust 
   destination-zone untrust 
   source-address 10.1.1.0 24 
   service https smtps 
   action decrypt profile profile 
  rule name decrption_policy1 
   source-zone trust 
   destination-zone untrust 
   source-address 10.1.1.0 24 
   service https 
   action no-decrypt profile profile1 
# 
 profile type decryption name profile 
  detect type outbound 
  undo unsupport ssl-version block 
  undo unsupport ssl-cipher block 
# 
 profile type decryption name profile1 
  detect type no-decrypt 
  undo untrust-certificate block 
  undo sni-cn-mismatch block 
# 
 security-policy 
  rule name security_policy 
   source-zone trust 
   destination-zone untrust 
   source-address 10.1.1.0 24 
   service https 
   service smtps 
   profile av default 
   profile ips default 
   profile mail-filter mail_filter 
   action permit
Parent Topic: SSL Decryption-exempted
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >