SSL-Encrypted Traffic Detection Policy
This section describes basic concepts and functions of the SSL-encrypted traffic detection policy.
Matching Rule
The detection policy determines whether to decrypt, not decrypt, or block encrypted packets that match the detection policy. After receiving an SSL-encrypted packet, the FW checks the packet based on the security policy and discards the packet if the check result is block. After an SSL-encrypted traffic detection policy is configured for SSL-encrypted packets that pass the security check, the detection policy determines how the FW processes the encrypted packets.
The following table describes matching rules of the SSL-encrypted traffic detection policy. The packets matching these rules are allowed to pass or are blocked based on the action configured in the decryption profile. You can choose Policy > Encrypted Traffic Detection > Detection Policy on the web UI to view the information.
Policy Rule |
Description |
|---|---|
Source Address/Zone and Destination Address/Zone |
Source Address/Zone refers to the security zone or IP address from which traffic is generated, while Destination Address/Zone refers to the security zone or IP address to which traffic is destined. For example, to decrypt all packets from an external host to an internal host, you can select the external zone as the source security zone and the internal zone as the destination security zone. NOTE:
Select the corresponding address or address group, click Invert, and then click OK. |
User |
A user indicates from whom traffic is originated. The parameter value can be User and User Group. You can set different detection policy rules for different users or user groups. Generally, it is more convenient to select a user group than a single user. For example, you can create a detection policy to decrypt packets sent from a user group on the intranet, and then create an independent detection policy rule to not decrypt packets received by the user group. If a new intranet user has the same requirement, you only need to add the user to the user group. After user group parameters are configured, the detection policy of the user group is applied to all members in the user group. If a user in the user group has special requirements, you need to create an independent detection policy for the user and set the priority of the independent policy to be higher than that of the user group-based detection policy. |
Service |
This rule indicates the protocol type of the traffic. During SSL-encrypted traffic detection, the FW supports only the HTTPS, POP3S, IMAPS, and SMTPS protocols. NOTE:
You can specify services or service groups to be excluded from the policy (namely, these services or service groups are not subject to the policy). |
URL Categories |
Select or create a URL category. URL categories are classified into predefined and user-defined categories. The administrator can use system-provided predefined categories or create user-defined categories. URL categories facilitate users to implement many requirements. For example:
The FW first uses the SNI field in the Client Hello packet sent by the client as the rule for matching the URL category. If the SNI is inconsistent with the SAN/CN during verification, the FW uses the SAN/CN field as the rule for matching the URL category in the subsequent session. |
Matching Action
The SSL-encrypted traffic detection policy provides the following traffic processing modes:
- Decrypt: Decrypt SSL-encrypted traffic that matches the detection policy and specify the detection profile for this action. In server protection and client protection scenarios, select the Decrypt action.
- Do not decrypt: Do not decrypt SSL-encrypted traffic that matches the detection policy, and specify the detection profile for this action. In addition, the action in the detection profile can only be No decrypt. In SSL decryption-exempted scenarios, select the No decrypt action.
- Block: Discard SSL-encrypted traffic. No detection profile is specified for this action.
Matching Sequence
You can configure the priorities for multiple SSL-encrypted traffic detection policies, and rules for matching the detection policies are as follows:
- If multiple SSL-encrypted traffic detection policies are configured, traffic is processed based on priorities of detection policies. If the traffic matches an SSL-encrypted traffic detection policy, the remaining policies are ignored. Therefore, you must configure the policies from the most specific to the least specific. By default, the detection policy that is configured first has a higher priority. You can run the rule move command to manually adjust the priority of a detection policy.
- By default, an SSL-encrypted traffic detection policy exists in the system. If traffic between different security zones does not match the specified SSL-encrypted traffic detection policy, the traffic matches the default policy. (All conditions are any and all default actions are permit.)
- A policy has multiple matching rules, such as security zone, user, and service. All rules in a policy take effect on packets. This means that a packet that meets all rules matches the policy.
- If multiple values are configured for a matching rule, the values are in an "OR" relationship. When a packet matches any value, the packet is considered to match the rule.
The SSL-encrypted traffic detection function requires a large number of encryption and decryption operations on traffic. If SSL decryption is performed on all SSL-encrypted traffic, the forwarding performance of the device is affected. Therefore, you need to configure the SSL-encrypted traffic detection policy based on actual requirements and decrypt only the SSL-encrypted traffic that meets certain conditions.