Creating SSL inspection rules in the filter policy

In order for your newly created SSL filter policy to be applied in the firewall's filter policy, you need to create an SSL inspection rule.

  1. Log on to the web administration interface.
  2. In the module Configuration > Security policy > Filter - NAT, select the Filtering tab.
  3. In the drop-down list, select the filter policy with which SSL filtering needs to be associated.
  4. Click on New rule > SSL inspection rule.
  5. In the Profile of traffic to be decrypted area in the SSL inspection wizard, keep the default values to create a rule that will intercept all traffic originating from the internal network and going to the Internet over the port group ssl_srv. The port group ssl_srv contains standard ports of services that use TLS sessions: HTTPS, SMTPS, POPS, etc. However, the SSL proxy does not manage FTPS.

     

    Modify the values of fields where necessary if the default configuration is not suitable. For example, if you are using the SSL proxy only for HTTPS traffic, indicate https only instead of ssl_srv to minimize consumption of firewall resources. Use the port group ssl_srv only if all the protocols that it includes need to be decrypted.

  6. In the Inspect encrypted traffic area, enter the following information:
    • Inspection profile: Select the desired inspection profile. For more information, refer to the Administration and configuration guide.
    • SSL filter policy: Select the filter policy that you have created in the section Defining SSL filter policies (SSLFilter_00).
  7. Click on Finish. The wizard will generate two filter rules:
    • The first rule makes it possible to intercept traffic originating from the internal network to the Internet over the port group ssl_srv. All this traffic will be directed to the SSL proxy. This rule will apply SSL filtering and the Decrypt action.
    • The second rule allows traffic originating from the internal network and leaving through the SSL proxy to the Internet.
  8. If you have chosen filtering WITHOUT decrypting SSL traffic, disable the second rule as it will not be used.
    SSL filter rules without decrypting SSL traffic
  9. If you have chosen filtering WITH SSL traffic decryption, double-click in the Security inspection column of the second rule and enable the relevant application protection (antivirus, antispam, URL filtering, etc.).
    SSL filter rules with SSL traffic decryption