SSL Detection Process

This section describes the SSL-encrypted traffic detection process, which helps understand and configure the SSL-encrypted traffic detection function.

SSL-encrypted traffic detection is to decrypt SSL-encrypted traffic and check content security of the decrypted traffic. In this process, SSL-encrypted traffic detection is associated with security policies and content security check policies. Learning the overall process of SSL-encrypted traffic detection will facilitate subsequent configuration and troubleshooting. Figure 1 shows the SSL-encrypted traffic detection process.

Figure 1 SSL-encrypted traffic detection process

1. After receiving a packet, the FW checks the packet against the security policy. If the packet passes the check, the FW further processes the packet If the packet fails the security check, the FW discards the packet.
2. The FW identifies a packet based on the IP address and interface. The FW considers the packet forwarded by a well-known SSL protocol interface as an SSL-encrypted packet and sends the packet to the SSL-encrypted traffic detection module for further processing. The FW sends the packet forwarded by a non-well-known interface to the IAE module for packet identification. If the IAE module identifies the current packet as an SSL-encrypted packet, it sends the packet to the SSL-encrypted traffic detection module. Otherwise, the FW processes the packet according to the normal process.
3. The FW checks whether the SSL-encrypted packet matches the SSL-encrypted traffic detection policy.

   If the SSL-encrypted packet matches an SSL-encrypted traffic detection policy, the FW further processes the packet. If no SSL-encrypted traffic detection policy is matched, the FW processes the packet according to the normal process.

4. The actions taken on a packet that matches the SSL-encrypted traffic detection policy include:
   • Block: The FW discards the packet.
   • Decrypt: The FW decrypts the packet.
   1. If the action in the decryption profile referenced by the SSL-encrypted traffic detection policy is block, the FW discards the packet. If the action in the decryption profile is permit, the FW decrypts the packet.
   2. The FW cannot detect the packet based on URL categories before packet decryption, so it needs to check the decrypted packet against the security policy again to determine whether the decrypted packet is permitted. Content security check needs to be performed on the decrypted packet. If the content security check result is block, the FW discards the packet. If the check result is permit or alarm, the FW forwards the packet.

• No decrypt: The FW forwards or discards the packet according to the action specified in the decryption-exempted profile referenced by the SSL-encrypted traffic detection policy, without decrypting the SSL-encrypted packet.