This screen will allow you to confirm the activation of the SSL protocol through the firewall.
Certain options allow reinforcing this protocol’s security. For example, negotiations of cryptographic algorithms that are deemed weak can be prohibited, or software applications that use SSL to bypass filter policies can be detected (SKYPE, HTTPS proxy, etc).
|Automatically detect and inspect the protocol||If this protocol is enabled, the inspection function will automatically apply to discover corresponding traffic that filter rules allow.|
When this checkbox is selected, the IPS engine allows TLS requests that use 0-RTT (Zero Round Trip Time), which reduces the handshake to zero exchanges in order to improve performance for TLS traffic.
Select the type of TLS values or extensions to allow:
|Allow unsupported encryption methods||Select this option if the encryption algorithm that you wish to use is not supported by the SSL protocol.|
|Allow unencrypted data after an SSL negotiation||This option allows sending data in plaintext after an SSL negotiation.
|Authorize signaling cipher (SCSV)||TLS fallback attacks consist of intercepting communications and imposing the weakest cryptographic variant possible. By enabling this option, the firewall will announce a cryptographic pseudo-algorithm that would allow reporting an attempt to launch a fallback attack (RFC 7507).|
|Encryption levels allowed||The stronger the encryption algorithm used and the more complex the password, the higher the level of security.
Three choices of encryption levels can be authorized:
Manage SSL extensions
Named extensions tab
This table makes it possible to allow/prohibit the named TLS v1.3 protocol extensions.
All known named extensions (see the IANA’s list of TLS extensions) are listed by default: a line in the table therefore contains the ID (between 0 and 56 inclusive), the name of the extension and the action applied to it.
- Allow or prohibit extensions individually by clicking on their associated action,
- Allow or prohibit a selection of extensions (hold down the Shift key and select consecutive lines or hold down the Ctrl key and select separated lines) and apply a common action to them using Allow selection and Prohibit selection.
- Select all extensions with the Select all button and apply a common action to them using Allow selection and Prohibit selection.
A search field also makes it possible to filter the display of extensions.
Blacklisted ranges tab
This table contains the known TLS v1.3 extensions to prohibit other than the ones defined in the Named extensions tab. The ID of these extensions must be between 57 and 65535 inclusive.
Defined extensions can be added (Add button) or deleted (Delete button after selecting the line concerned) individually using their IDs (e.g. 59) or extension ranges (e.g. 59-62, 92-1001).
A search field also makes it possible to filter the display of blacklisted IDs.
Unencrypted data detection (plaintext traffic)
|Disable IPS||When this option is selected, the scan of the SSL protocol will be disabled and traffic will be authorized if the filter policy allows it|
|Log every SSL query||Enables or disables the logging of SSL requests.|