SSL

If this protocol has been enabled, it will automatically be used for discovering corresponding packets in filter rules.

Select this option if the encryption algorithm that you wish to use is not supported by the SSL protocol.

This option allows sending data in plaintext after an SSL negotiation.

WARNING

Allowing data transmission in plaintext poses a security risk.

TLS fallback attacks consist of intercepting communications and imposing the weakest cryptographic variant possible. By enabling this option, the firewall will announce a cryptographic pseudo-algorithm that would allow reporting an attempt to launch a fallback attack (RFC 7507).

The stronger the encryption algorithm used and the more complex the password, the higher the level of security.

Example

The AES encryption algorithm with a strength of 256 bits, associated with a password of about ten characters made up of letters, numbers and special characters.

Three choices of encryption levels can be authorized:

• Low, medium, high: for example, DES (64 bits), CAST128 (128 bits) and AES. Regardless of the password’s security level, the encryption level will be allowed.
• Medium and high: Only medium-security and high-security algorithms will be tolerated.
• Only high: Only strong algorithms and passwords with a high level of security will be tolerated.

• Do not detect: unencrypted data will not be scanned.
• Inspect all traffic: all packets received will be scanned by the SSL protocol in order to detect plaintext traffic.
• Sampling (7168 bytes): only the first 7168 bytes of the traffic will be analyzed in order to detect plaintext traffic.

When this option is selected, the scan of the SSL protocol will be disabled and traffic will be authorized if the filter policy allows it

Enables or disables the logging of SSL requests.

When a request is made by a web client (browser) to the server, the firewall will intercept it and check that the request complies with URL filter rules and then relays the request.

If this option is selected, the new request will use the original source IP address of the web client that sent the packet. Otherwise, the firewall’s address will be used.

These certificates are used internally and signed by your local server. They allow guaranteeing the security of your exchanges and authenticating users, among other functions.

This option determines the action to perform when you encounter self-signed certificates:

• Delegate to user: this action raises a security alert in the client's web browser. The client will then decide whether to continue the connection to the server concerned. An alarm will be generated and the client's action will be recorded in the logs l_alarm file.
• Continue analysis: these certificates are accepted without generating any security alerts in the client's web browser. Traffic goes through and is analyzed by the intrusion prevention engine.
• Block: the firewall rejects these certificates and matching traffic is blocked.

Expired certificates have validity dates that have lapsed and are therefore not valid. To fix this problem, they must be renewed by a certificate authority

WARNING

Expired certificates may pose a security risk. After the expiry of a certificate, the CA that issued it will no longer be responsible for it if it is used maliciously.

This option determines the action to perform when you encounter expired certificates:

• Delegate to user: this action raises a security alert in the client's web browser. The client will then decide whether to continue the connection to the server concerned. An alarm will be generated and the client's action will be recorded in the logs l_alarm file.
• Continue analysis: these certificates are accepted without generating any security alerts in the client's web browser. Traffic goes through and is analyzed by the intrusion prevention engine.
• Block: the firewall rejects these certificates and matching traffic is blocked.

This option will determine the action to perform when you encounter unknown certificates:

• Delegate to user: this action raises a security alert in the client's web browser. The client will then decide whether to continue the connection to the server concerned. An alarm will be generated and the client's action will be recorded in the logs l_alarm file.
• Do not decrypt: these certificates are accepted without generating any security alerts in the client's web browser. Traffic goes through without being analyzed by the intrusion prevention engine.
• Block: the firewall rejects these certificates and matching traffic is blocked.

This test validates the certificate’s type. A certificate is deemed compliant if it is used in the context defined by its signature. Therefore, a user certificate used by a server does not comply.

This option will determine the action to perform when you encounter non-compliant certificates:

• Delegate to user: this action raises a security alert in the client's web browser. The client will then decide whether to continue the connection to the server concerned. An alarm will be generated and the client's action will be recorded in the logs l_alarm file.
• Continue analysis: these certificates are accepted without generating any security alerts in the client's web browser. Traffic goes through and is analyzed by the intrusion prevention engine.
• Block: the firewall rejects these certificates and matching traffic is blocked.

This option will determine the action to perform when certificates with an invalid domain name are encountered:

• Delegate to user: this action raises a security alert in the client's web browser. The client will then decide whether to continue the connection to the server concerned. An alarm will be generated and the client's action will be recorded in the logs l_alarm file.
• Continue analysis: these certificates are accepted without generating any security alerts in the client's web browser. Traffic goes through and is analyzed by the intrusion prevention engine.
• Block: the firewall rejects these certificates and matching traffic is blocked.

This option will determine the action to perform when you encounter certificates with domain names (FQDN) that are different from the expected SSL domain:

• Delegate to user: this action raises a security alert in the client's web browser. The client will then decide whether to continue the connection to the server concerned. An alarm will be generated and the client's action will be recorded in the logs l_alarm file.
• Continue analysis: these certificates are accepted without generating any security alerts in the client's web browser. Traffic goes through and is analyzed by the intrusion prevention engine.
• Block: the firewall rejects these certificates and matching traffic is blocked.

This option allows or denies access to a site based on its IP addresses instead of its SSL domain name.

This option will determine the action to perform when decryption fails: you can choose to Block traffic or Pass without decrypting. Traffic will not be inspected if the second option is selected.

The choice is either Pass without decrypting or Block. If a certificate has not been listed in a certificate category, this action will determine whether the traffic will be authorized.