Web: Client Protection

You can configure SSL-encrypted traffic detection policies so that the FW decrypts SSL-encrypted traffic generated by a user to access the extranet, and configure security policies to enable the FW to check content security of decrypted traffic.

Networking Requirements

As shown in Figure 1, the FW is deployed on the network boundary as an enterprise gateway, and checks content security of traffic generated by users to access extranet HTTPS servers and SMTPS servers (mail servers).

Figure 1 Networking diagram of SSL-encrypted traffic detection for protecting a client

Configuration Roadmap

Configure the SSL decryption certificate.

The SSL decryption certificate can be imported to the FW or generated on the FW.
- If the enterprise has a CA server that can issue CA certificates, import the CA certificate issued by the CA server to the FW.
- If the enterprise does not have a CA server, manually generate an SSL decryption certificate on the FW.
This section uses a manually generated SSL decryption certificate on the FW as an example.
Optional: Import the CA certificate issued by the trusted certificate issue organization on the FW, so that the FW can verify certificates of the HTTPS server and SMTPS server.
Note that over 100 common server CA certificates have been preset on the FW by default, which can be used to verify most server certificates. Generally, these default CA certificates are enough and you do not need to import other CA certificates. In some cases, however, if the preset CA certificates cannot verify the peer server certificates, you need to import other CA certificates. This section describes how to import a CA certificate as a configuration step.
Configure SSL-encrypted traffic detection policies.

Specify a detection profile in the detection policies, and set the file type of the detection profile to Outbound. According to actual requirements, you can configure refined policies, so that the FW decrypts only traffic that really requires content security check. You must avoid proxy policies with wide configuration conditions, because traffic encryption or decryption affects the forwarding performance of the device to a certain extent.
Configure a security policy.

After the SSL-encrypted traffic detection policy is configured, you still need to configure correct security policies and reference the content security profile to check the content security of traffic.

Procedure

Set interface IP addresses and assign the interfaces to security zones.
1. Choose Network > Interface.
2. Click of GE0/0/1 and set the parameters as follows:
  
  Zone
  
  untrust
  
  IPv4
  
  IP Address
  
  1.1.1.1/24
3. Click OK.
4. Repeat the preceding steps to configure interface GE0/0/2.
  
  Zone
  
  trust
  
  IPv4
  
  IP Address
  
  10.1.1.1/24
Configure the SSL decryption certificate and import the trusted certificate on the intranet PC.
1. Choose Object > Certificates > SSL Decryption Certificate.
2. Click Add to configure a trusted SSL decryption certificate.
3. Click OK.
4. Click in the line where the trusted certificate is located to download the SSL decryption certificate to the local PC.
  
  The password is used to protect the key file in the certificate. When you install the certificate, the system requires this password.
5. Send the exported certificate file to the intranet users, and ask the users to install and trust this certificate on their PCs. If the certificate is not installed, normal access may be blocked.
Import the CA certificate issued by a trusted organization.
1. Choose Object > Certificates > CA Certificates.
2. Click Upload to import the CA certificate.
3. Click OK.
4. Repeat the preceding steps to import the CA certificate of the SMTPS server.
Specify the imported CA certificate as the server CA certificate. The FW determines whether the server certificate is trusted based on the server CA certificate.
1. Choose Object > Certificates > SSL Decryption Certificate, and select the Server CA Certificate tab.
2. Click Add and select the imported CA certificate.
3. Click OK.
Configure SSL-encrypted traffic detection policies.
1. Create a detection profile.
  1. Choose Policy > Encrypted Traffic Detection > Detection Profile.
  2. Click Add, and configure detection profile parameters, as shown in the following figure.
  3. Click OK.
2. Create an SSL-encrypted traffic detection policy.
  1. Choose Policy > Encrypted Traffic Detection > Detection Policy.
  2. Click Add, and set the SSL-encrypted traffic detection policy to reference the new detection profile.
  3. Click OK.
Configure a security policy to enable the system checks the content security of decrypted SSL traffic.
1. Create a mail content filtering profile.
  In this example, a mail content filtering profile needs to be configured to filter traffic of a user who accesses the mail server.
  1. Choose Object > Security Profiles > Mail Filtering.
  2. Select the Mail Content Filtering tab.
  3. Click Add to create a mail content filtering profile.
  4. Click OK.
2. Configure a security policy.
  1. Choose Policy > Security Policy > Security Policy.
  2. Click Add and configure the security policy.
    
    In this example, antivirus, IPS, and mail filtering items are selected for content security check. Default security profiles of antivirus and IPS are used. You can configure or select multiple security profiles based on actual situations.
  3. Click OK.

Zone	untrust
IPv4
IP Address	1.1.1.1/24

Zone	trust
IPv4
IP Address	10.1.1.1/24

Verification

When an intranet user accesses the extranet HTTPS server or SMTPS server, the traffic matches the SSL-encrypted traffic detection policy. If the decrypted traffic passes the content security check, the traffic is released. If the decrypted traffic does not pass the content security check, the traffic is blocked.

On the FW, view the SSL proxy session table. The SSL connection used by the intranet user to access the extranet server is processed by the proxy.

<FW> display app-proxy session table
 Vsys: 0 10.1.1.1:3449--->2.2.2.2:443 Left:00:00:05 Type:Outbound Age:1
      down:0000  -->bytes: 314 <--bytes: 1016

 Vsys: 0 10.1.1.1:3450--->2.2.2.2:443 Left:00:00:05 Type:Outbound Age:1
      down:0000  -->bytes: 124 <--bytes: 0

 Vsys: 0 10.1.1.1:3448--->2.2.2.2:443 Left:00:00:05 Type:Outbound Age:1
      down:0000  -->bytes: 628 <--bytes: 1067

Configuration Scripts

# 
 pki rsa built-in-ca ssl-decryption-certificate create exportable
 pki entity ssl-decryption-certificate
  common-name ssl-decryption-certificate
  fqdn www.example.com
  locality Trust Network
  country CN
#
 pki generate built-in-ca certificate rsa-key-pair ssl-decryption-certificate entity ssl-decryption-certificate
 pki import-certificate built-in-ca filename ssl-decryption-certificate.cer
 app-proxy built-in-ca trust filename ssl-decryption-certificate.cer
#
 pki export built-in-ca rsa-key-pair ssl-server-ca and-certificate ssl-server-ca.cer pem ssl-server-ca.pem password Mypassword@123
#
 pki import-certificate ca der filename https_server_ca.cer
 pki import-certificate ca der filename smtps_server_ca.cer
#
 app-proxy ca trust filename https_server_ca.cer
 app-proxy ca trust filename smtps_server_ca.cer
#                            
 interface GigabitEthernet 0/0/1 
  undo shutdown
  ip address 1.1.1.1 255.255.255.0
#                            
 interface GigabitEthernet 0/0/2       
  undo shutdown
  ip address 10.1.1.1 255.255.255.0   
#                       
 firewall zone trust     
  add interface GigabitEthernet 0/0/2  
#                       
 firewall zone untrust   
  add interface GigabitEthernet 0/0/1  
#
 profile type decryption name profile
  detect type outbound
#
 decryption-policy
  rule name decrption_policy
   source-zone trust
   destination-zone untrust
   source-address 10.1.1.0 24
   service https smtps
   action decrypt profile profile
#
 profile type mail-filter name mail-filter
  undo rbl-filter enable
  send-mail anonymity action allow
  recv-mail anonymity action allow
  send-mail attachment max-amount enable
  send-mail attachment max-amount 10 action alert
  recv-mail attachment max-amount enable
  recv-mail attachment max-amount 10 action alert
  send-mail attachment max-size enable
  send-mail attachment max-size 20480 action alert
  recv-mail attachment max-size enable
  recv-mail attachment max-size 20480 action alert
  send-mail sender filter-mode block
  send-mail receiver filter-mode block
  recv-mail sender filter-mode block
  recv-mail receiver filter-mode block
#
security-policy
 rule name security_policy
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.0 mask 255.255.255.0
  service https
  service smtps
  profile av default
  profile ips default
  profile mail-filter mail_filter
  action permit