Configuring SSL Decryption-exempted

By default, over 100 common trusted CA certificates have been preset on the FW, which can be used to verify most server certificates. Generally, the default CA certificates are used and no other CA certificate needs to be imported. In some cases, if the preset CA certificate fails to verify the peer server certificate, you need to import the corresponding CA certificate from the external system.

1. Import the server CA certificate.

   Choose Object > Certificates > CA Certificates. Click Upload to import the CA certificate to the device.

2. Specify the CA certificate as the server CA certificate.
3. Choose Object > Certificates > SSL Decryption Certificate, and click the Server CA Certificate tab.
4. Click Add. Add the imported server certificate in Available to Selected.

Choose Policy > Encrypted Traffic Detection > Detection Profile, click Add, and set Type to No decrypt. Set actions for Untrusted Certificate and SNI and SAN/CN Not Matched to Allow or Block.

Choose Policy > Encrypted Traffic Detection > Detection Policy, configure matching rules, set the action to No decrypt, and select the configured detection profile.

1. Upload a CA certificate.

   For details about how to upload certificate files on the FW, see Configuring the FW as an FTP Server.

   

   The uploaded certificate and private key must be saved to the specified directory as required. The certificate and private key of the root system are stored in the hda1:/pki/public/ directory. The certificate and private key of a virtual system are stored in the hda1:/pki/vsys/ directory (vsys is a virtual system name). When the certificate and private key that are not saved as required are imported to the device memory, the system displays a message, indicating that the certificate does not exist.

2. Import the uploaded CA certificate to the FW memory.

   <sysname> system-view 
   [sysname] pki realm abc 
   [sysname-pki-realm-abc] quit 
   [sysname] pki import-certificate ca realm abc pem filename ca.cer

3. Specify the CA certificate as the server CA certificate.

   <sysname> system-view 
   [sysname] app-proxy ca trust filename ca.cer

1. Configure the traffic processing mode for the FW when the server certificate is untrusted.

   In the SSL decryption-exempted scenario, the FW verifies the server certificate. If the server certificate is untrusted, the FW takes the following actions:

   • untrust-certificate block: The FW blocks the establishment of the SSL connection between a client and a server.
   • undo untrust-certificate block: The FW still allows the establishment of the SSL connection between a client and a server even if the server certificate is untrusted.

     By default, the system allows the establishment of the SSL connection between a client and a server.

2. Configure the traffic processing mode for the FW when the SNI and the SAN/CN are inconsistent.

   In the SSL decryption-exempted scenario, the FW verifies the consistency between SNI and SAN/CN. When SNI and SAN/CN are not matched, the FW takes the following actions:

• sni-cn-mismatch block: The FW blocks the establishment of the SSL connection between a client and a server.
• undo sni-cn-mismatch block: The FW allows the establishment of the SSL connection between a client and a server.

  By default, the system allows the establishment of the SSL connection between a client and a server.

1. Access the SSL-encrypted traffic detection policy view from the system view.

   decryption-policy

2. Create an SSL-encrypted traffic detection policy rule and access the rule view.

   rule name rule-name

3. Configure a description for the rule.

   description description

   The description must be clearly specified, so that an administrator can easily find and maintain the policy.

4. Configure a policy tag.

   add tag tag-name

   After the policy references the tag, you can query policies according to the tag and perform batch operations such as deleting, moving, enabling, and disabling. For details about tag introduction and configuration, see Tag.

5. Configure matching conditions for SSL-encrypted traffic detection policy rules.

   Function	Command
   Set the source security zone.	source-zone { zone-name &<1-6> | any }
   Set the destination security zone.	destination-zone { zone-name &<1-6> | any }
   Specify a source IP address.	source-address ipv4-address mask mask-address source-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | range ipv4-start-address ipv4-end-address } [ description description ]
   Specify a destination address.	destination-address ipv4-address mask mask-address destination-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | range ipv4-start-address ipv4-end-address } [ description description ]
   Configure a user.	user username user-name &<1-6>
   Configure a service.	service { service-name &<1-6> | any } service-exclude service-name &<1-6>
   Configure a URL category.	url pre-defined category name category-name

6. Configure actions for SSL-encrypted traffic detection policy rules.

   For details about how to configure a detection profile, see Configuring a Detection Profile.

   action no-decrypt [ profile profile-name ]