Limitations and Precautions for SSL-encrypted traffic detection

Hardware Requirement

SSL-encrypted traffic detection function supported by all models.

License Requirements

The function is dependent on the content security component package. However, it does not require the content security component package be manually loaded. The content security component package is directly placed in the software package and automatically loaded during device startup.

Restrictions

• In bidirectional authentication scenarios, that is, when a server requires authenticating a client certificate, you are advised not to enable SSL decryption. For example, when you access a website involving personal privacy such as banks or social security, the server often needs to verify the client certificate because the client may fail to access the server due to certificate verification failures. In this case, you can select No decrypt and specify the permit action in the decryption-exempted profile. Then the FW transparently transmits the SSL-encrypted traffic.
• When server CA certificates are not preset or imported into some browsers or some software applications have a fixed public key, SSL-encrypted traffic detection cannot be used because the certificate pushed by the FW to the client cannot be verified. As a result, the connection between the server and client is interrupted. In this case, you can configure an SSL domain name whitelist or configure the FW not to decrypt traffic matching the URL category to transparently transmit the SSL connection between the client and the server.

• If a client accepts only trusted certificates, you need to import certificates or configure the SSL whitelist. Otherwise, services are abnormal.
• When checking the content security of decrypted traffic, the FW does not support attack forensics on in attack packets or virus packets.
• The SSL-encrypted traffic detection function employs the proxy mode and does not apply to scenarios where interactive traffic information of the two ends cannot be obtained, such as scenarios of off-line deployment, one-way traffic, active/active deployment, and inconsistent forward and reverse paths.
• If the same flow passes through the FW multiple times and matches the SSL-encrypted traffic detection policy, the SSL-encrypted traffic detection becomes abnormal. To avoid this situation, ensure that the flow passes through different VLANs or VSYSs on the firewall during deployment.
• When the SSL protocol version used by the FW to establish an SSL connection with the peer end is TLS1.3, the algorithm configuration in detection profile does not take effect.
• The SSL-encrypted traffic detection function is supported in the IPv4 scenario but not in the IPv6 scenario.
• For the USG6610E/6620E, USG6630E/6650E, USG6680E and USG6712E/6716E, in certificate authentication scenarios, the RSA key length of the certificate must be set to 2048, 3072, or 4096. Otherwise, the SSL-encrypted traffic detection function using this certificate will be affected.
• For clients running Android 7.0 or later, an insecurity alarm may be reported or services are interrupted. even if the SSL decryption certificate of the firewall is installed on the browser. Determine whether to enable SSL-encrypted traffic detection based on the site requirements.
• The SSL-encrypted traffic detection policy does not support MAC addresses. If a MAC address is specified for the referenced address/address group, the SSL-encrypted traffic detection policy cannot match the MAC address.

Precautions

• Because SSL-encrypted traffic detection needs to perform a large number of encryption and decryption operations on traffic, it affects the forwarding performance of the device to a certain extent. Therefore, refine matching conditions when configuring SSL-encrypted traffic detection policies, so that the system decrypts only SSL-encrypted traffic that really requires content security check.
• In the server protection scenario, intranet servers that clients access are considered to be safe and reliable. Therefore, it is unnecessary to provide the URL classification function in this scenario. Therefore, if matching conditions of SSL-encrypted traffic detection policies are configured in this scenario, URL classification does not take effect.
• The FW cannot decrypt the traffic encrypted by the Chrome browser through the QUIC protocol. To protect network security, you need to configure a security policy that blocks the QUIC-encrypted traffic on the FW, so that the browser automatically uses the SSL or TLS encryption protocol for data transmission.
• If a certificate cannot be installed on a client, you are advised not to enable SSL decryption.