apps inline-ssl
Use the apps inline-ssl command to configure inline Secure Sockets Layer (SSL) parameters for inline SSL decryption. For more information, refer to the “Work With Inline SSL Decryption" section in the GigaVUE Fabric Management Guide.
The apps inline-ssl command has the following syntax:
apps inline-ssl
caching persistence <disable | enable>
keychain password <password> <confirm password> | <password> | [reset] <password><confirm password>
version < above | below >
min-version <sslv3 | tls1 | tls11 | tls12 | tls13> max-version <sslv3 | tls1 | tls11 | tls12 | tls13>
below min-version <no-decrypt | drop>
above max-version <no-decrypt | drop >
profile alias <alias>
split-proxy [enable | disable]
server non-pfs-ciphers [enable | disable]
tool early-engage [enable | disable]
one-arm [enable | disable]
monitor <disable | enable | inline>
certificate
expired <decrypt | drop>
invalid <decrypt | drop>
revocation crl <disable | enable [fail <hard | soft>] [defer timeout <20-100>]>
revocation ocsp <disable | enable [fail <hard | soft>] [defer timeout <20-100>]>
self-signed <decrypt | drop>
unknown-ca <decrypt | drop>
clear <decryptlist need to decrypt - CLI Command (formerly blacklist) | nodecryptlist no need to decrypt- CLI Command (formerly whitelist)>
decrypt
tcp
inactive-timeout <2-1440 mins>
portmap
add in-port <value> out-port <value>
default-out-port <<value> | disable>
delete <all | rule-id <rule ID>>
override-port <<value> | disable>
tool-bypass <disable | enable>
default-action <decrypt | no-decrypt>
fetch <decryptlist <URL for profile decrypt list need to decrypt (formerly blacklist) file> | nodecryptlist <URL for profile no-decrypt list no need to decrypt (formerly whitelist) file>>
ha active-standby <disable | enable>
keymap
add server <server domain name or IP address> key <key alias>
delete <all | rule-id <rule ID>>
network-group multiple-entry <disable | enable>
no-decrypt tool-bypass <disable | enable>
non-ssl-tcp tool-bypass <disable | enable>
rule add
category <category name> <decrypt | no-decrypt>
domain <domain name string> <decrypt | no-decrypt>
ipv4 <dst | src> <IP address> <mask> <decrypt | no-decrypt>
issuer <issuer name string> <decrypt | no-decrypt>
l4port <dst | src> <any | port <value or range>> <decrypt | no-decrypt>
vlan <any | id <value or range>> <decrypt | no-decrypt>
rule delete <all | rule-id <rule ID>>
starttls
add l4port <port number>
delete <all | l4port <port number>>
url-cache miss action <decrypt | defer [timeout <1-10>] | no-decrypt>
resumption client <disable | enable>
session debug <disable | enable>
signing rsa for <primary | secondary> key <key alias>
trust-store
fetch <append | replace> <URL for trust store file>
reset
The following table describes the arguments for the apps inline-ssl command:
Argument |
Description |
||||||||||||||||||||||||||||||||||||
caching persistence <disable | enable> |
Enables or disables caching persistence as follows:
The default is enable. Disable is recommended only for troubleshooting purposes. For example: (config) # apps inline-ssl caching persistence disable |
||||||||||||||||||||||||||||||||||||
keychain password <password> <confirm password> |
Creates an SSL keychain password as follows: (config) # apps inline-ssl keychain password Creating a new password for ssl keychain: Password: ********* Confirm: ********* The password is used to encrypt all cryptographic materials such as certificates and private keys uploaded to the node. Passwords are not saved on the node. Passwords must be at least 8 characters (up to 64 characters) and must include at least one of each of the following:
Note: The keychain password must be configured before installing certificates and keys. If the key has a passphrase, in order to install it, the keychain password and the passphrase must match. |
||||||||||||||||||||||||||||||||||||
keychain password <password> |
Prompts for the SSL keychain password. When keys are installed on the node, you will be prompted to verify the password after any node reboot when you enter configure terminal mode, for example: # configure terminal (config) # apps inline-ssl keychain password required Enter ssl keychain password: Password: ********* |
||||||||||||||||||||||||||||||||||||
keychain password [reset] <password> <confirm password> |
Resets an SSL keychain password. When keys are installed on the node, a warning is displayed. Note: Resetting the password revokes all existing private keys. For example: (config) # apps inline-ssl keychain password reset WARNING: Password is already set. Reset password will revoke all existing private keys. Password: ********* Confirm: ********* |
||||||||||||||||||||||||||||||||||||
version < above | below > |
Configures the maximum SSL version and minimum SSL version parameters as follows:
|
||||||||||||||||||||||||||||||||||||
min-version <sslv3 | tls1 | tls11 | tls12 | tls13> max-version <sslv3 | tls1 | tls11 | tls12 | tls13> |
Specifies the SSL minimum version and maximum version as follows:
The default minimum version is sslv3. The default maximum version is tls12. Ensure the minimum version is less than the maximum version. For example: (config) # apps inline-ssl min-version tls11 max-version tls12 |
||||||||||||||||||||||||||||||||||||
below min-version |
Allows or drops below TLS minimum version for the given configuration as follows:
The default minimum version is tls1. |
||||||||||||||||||||||||||||||||||||
above max-version |
Allows or drops above TLS maximum version for the given configuration as follows:
The default maximum version is tls13. |
||||||||||||||||||||||||||||||||||||
profile alias <alias> eval-cn <disable | enable> |
Specifies an alias to create a policy profile for inline SSL decryption to specify policy configuration. For example: (config) # apps inline-ssl profile alias sslprofile (config apps inline-ssl profile alias sslprofile) # |
||||||||||||||||||||||||||||||||||||
profile alias <alias> split-proxy [enable | disable] |
When you enable the split proxy settings for an inline SSL profile, it divides the TLS connection between the server and client into two independent connections and keeps the security parameters separate. For example: (config) # apps inline-ssl profile alias sslprofile split-proxy enable |
||||||||||||||||||||||||||||||||||||
profile alias <alias> split-proxy server non-pfs-ciphers [enable | disable] |
When you enable the non-PFS ciphers settings for an inline SSL profile that has the split proxy settings enabled, it forces the server to use protocols that are lower than TLS1.3 with non-PFS ciphers. This means that the ciphers with DHE/ECDHE key-exchange will be disabled and the server will use only the ciphers with RSA key-exchange. For example: (config) # apps inline-ssl profile alias sslprofile split-proxy server non-pfs-ciphers enable |
||||||||||||||||||||||||||||||||||||
profile alias <alias> tool early-engage [enable | disable] |
Allows the inline tools to change the MAC address or VLAN IDs. When a connection request is received from the client, GigaSMART establishes the connection with the inline tool first, before connecting with the server. This helps the inline tools to modify the MAC address or VLAN IDs when sending the traffic back to the server. For additional information and limitations, refer to the "Tool Early Engage and One-Arm Mode" section in the GigaVUE-FM User's Guide. For example: (config) # apps inline-ssl profile alias sslprofile tool early-engage enable |
||||||||||||||||||||||||||||||||||||
profile alias <alias> one-arm [enable | disable] |
Allows both the client and server traffic to travel through the same physical link or logical aggregate port channel. Note: You can enable the one-arm mode only if you have enabled the tool early-engage option. For additional information and limitations, refer to the "Tool Early Engage and One-Arm Mode" section in the GigaVUE-FM User's Guide. For example: (config) # apps inline-ssl profile alias sslprofile one-arm enable |
||||||||||||||||||||||||||||||||||||
monitor <disable | enable | inline> |
Configures the apps inline-ssl monitoring and SSL decryption/encryption as follows:
For example: (config)# apps inline-ssl profile alias sslprofile monitor disable (config)# apps inline-ssl profile alias sslprofile monitor enable (config)# apps inline-ssl profile alias sslprofile monitor inline Note: Monitor mode is not supported with clustering. |
||||||||||||||||||||||||||||||||||||
profile alias <alias> certificate
|
Configures the handling of expired, invalid, self-signed, and unknown CA certificates as well as enabling or disabling certificate revocation for the profile as follows:
The revocation check is disabled by default. The connection is permitted, at least until the revocation check returns the status. Examples: (config apps inline-ssl profile alias sslprofile) # certificate expired decrypt (config apps inline-ssl profile alias sslprofile) # certificate invalid drop (config apps inline-ssl profile alias sslprofile) # certificate revocation crl disable (config apps inline-ssl profile alias sslprofile) # certificate revocation ocsp enable fail soft |
||||||||||||||||||||||||||||||||||||
profile alias <alias> clear <decryptlist | nodecryptlist> |
Clears the no-decrypt list or the decrypt list for the profile as follows:
For example: (config apps inline-ssl profile alias sslprofile) # clear nodecryptlist |
||||||||||||||||||||||||||||||||||||
profile alias <alias> decrypt
|
Specifies additional configuration options for the decrypt action for the profile. This is the action to take if the match action is to decrypt as follows:
The default is disable, which means that all decrypted SSL traffic is sent to the tools. Examples: (config apps inline-ssl profile alias sslprofile) # decrypt tool-bypass enable (config apps inline-ssl profile alias sslprofile) # decrypt tcp inactive-timeout 10 (config apps inline-ssl profile alias sslprofile) # decrypt tcp portmap override-port disable apps inline-ssl profile alias sslprofile decrypt tcp portmap default-out-port 12 Refer to “Inline SSL Decryption Port Map” section in the GigaVUE Fabric Management Guide for details. |
||||||||||||||||||||||||||||||||||||
profile alias <alias> default-action <decrypt | no-decrypt> |
Specifies the default action for the profile. This is the action to take if none of the rules in the profile match. The actions are as follows:
The default is no-decrypt selective forwarding - forward (formerly whitelist). Use the default action to create policies such as decrypt all but privacy-related categories or no-decrypt all but security-related categories. Examples: (config apps inline-ssl profile alias sslprofile) # default-action decrypt (config apps inline-ssl profile alias sslprofile) # default-action no-decrypt |
||||||||||||||||||||||||||||||||||||
profile alias <alias> fetch <decryptlist <URL for profile decryptlist file> | nodecryptlist <URL for profile nodecryptlist file>> |
Fetches the no-decrypt list or the decrypt list text file for the profile from the specified URL as follows:
No-decrypt list entries are implicitly set to no-decrypt, which means that as a policy, no-decrypt listed domains and hostnames will always be bypassed for decryption. As a policy, hostnames or domains matching the decrypt list entries will always be decrypted. No-decrypt list and decrypt list text files must adhere to the following:
The supported formats for fetch are: SCP, SFTP, FTP, TFTP, HTTP. For example: (config apps inline-ssl profile alias sslprofile) # fetch nodecryptlist http://1.1.1.1/temp/whitelist.txt |
||||||||||||||||||||||||||||||||||||
profile alias <alias> ha active-standby <disable | enable> |
Enables GigaSMART inline network high availability (HA) active standby support. When there is an inline SSL network group topology with two network port pairs (Na1, Nb1 and Na2, Nb2), incoming traffic from one network (for example, Na1) may change to another network (for example, Na2) due to upstream devices, such as firewalls performing high availability active standby failover. The options are as follows:
The default is disable. For example: (config apps inline-ssl profile alias sslprofile) # ha active-standby enable |
||||||||||||||||||||||||||||||||||||
profile alias <alias> keymap add server <server domain name or IP address> key <key alias> |
Creates an SSL server key map, which creates a key map entry. A server key map is for an inbound deployment of inline SSL decryption, in which the customer has the server keys. A server key map binds keys from the keystore as follows:
The maximum number of key mappings is 1000. Examples: (config apps inline-ssl profile alias sslprofile) # keymap add server server_1 key server_1_key (config apps inline-ssl profile alias sslprofile) # keymap add server server_2 key server_2_key (config apps inline-ssl profile alias sslprofile) # keymap add server server_3 key server_3_key (config apps inline-ssl profile alias sslprofile) # keymap add server server_4 key server_4_key Note: Use the apps keystore command to add server keys to the key store. Refer to apps keystore. |
||||||||||||||||||||||||||||||||||||
profile alias <alias> keymap delete <all | rule-id <rule ID> |
Deletes an SSL server key map entry, either all key maps or a specific key map by its ID. Examples: (config apps inline-ssl profile alias sslprofile) # keymap delete all (config apps inline-ssl profile alias sslprofile) # keymap delete rule-id 12 |
||||||||||||||||||||||||||||||||||||
profile alias <alias> network-group multiple-entry <disable | enable> |
Enables or disables inline network group multiple entry for the profile. The default is disabled. An inline network group topology can have multiple network port pairs (for example, Na1, Nb1 and Na2, Nb2). With multiple network port pairs, traffic from a network interface might traverse GigaSMART multiple times. Intercepted traffic from GigaSMART might reenter GigaSMART through a different network interface within the same network group. Starting in software version 5.3, the same traffic sent from GigaSMART can reenter GigaSMART. GigaSMART remembers the inline incoming inline network interface (for example, Na1) for each connection. When traffic from the same connections reaches GigaSMART with a different inline network interface (for example, Na2) within the same network group, GigaSMART will forward the traffic to the corresponding opposite network interface (for example, Nb2), without further processing. This allows traffic from the same connection to reenter GigaSMART. However, the same traffic sent by GigaSMART reentering through the same network port pair (for example, Nb2, Na2) is not supported. For example: (config apps inline-ssl profile alias sslprofile) # network-group multiple-entry enable |
||||||||||||||||||||||||||||||||||||
profile alias <alias> no-decrypt tool-bypass <disable | enable> |
Specifies additional configuration options for the no-decrypt action for the profile. This is the action to take if the match action is to bypass decryption as follows:
The default is disable, which means that all non-decrypted SSL traffic is sent to the tools. For example: (config apps inline-ssl profile alias sslprofile) # no-decrypt tool-bypass enable |
||||||||||||||||||||||||||||||||||||
profile alias <alias> non-ssl-tcp tool-bypass <disable | enable> |
Specifies a non-SSL TCP action as follows:
The default is disable, which means that all non-SSL traffic is sent to the tools. For example: (config apps inline-ssl profile alias sslprofile) # non-ssl-tcp tool-bypass enable |
||||||||||||||||||||||||||||||||||||
profile alias <alias> rule add
|
Configures rules for the profile based on attributes to match. Select decrypt or no decrypt. The maximum number of rules that can be added is 128, regardless of type. The rule types are as follows:
Examples: (config apps inline-ssl profile alias sslprofile) # rule add domain domain1.com no-decrypt (config apps inline-ssl profile alias sslprofile) # rule add category search_engines decrypt (config apps inline-ssl profile alias sslprofile) # rule add ipv4 srd 1.1.1.1 mask 255.255.0.0 no-decrypt (config apps inline-ssl profile alias sslprofile) # rule add l4port src port 443 decrypt (config apps inline-ssl profile alias sslprofile) # rule add vlan id 100.200 no-decrypt |
||||||||||||||||||||||||||||||||||||
profile alias <alias> rule delete <all |
|
Deletes rules for the profile, either all rules or a specific rule by its rule ID. Examples: (config apps inline-ssl profile alias sslprofile) # rule delete all (config apps inline-ssl profile alias sslprofile) # rule delete rule-id 2 |
||||||||||||||||||||||||||||||||||||
profile alias <alias> starttls
|
Specifies StartTLS Layer 4 (L4) ports as follows:
The specific ports to monitor StartTLS traffic must be specified for the profile. Up to 20 ports can be specified in a comma separated list. Note: Both HTTP CONNECT and StartTLS are supported using the same starttls command. In HTTP CONNECT, the L4 port is the explicit proxy port number. Examples: (config apps inline-ssl profile alias sslprofile) # starttls add l4port 44 (config apps inline-ssl profile alias sslprofile) # starttls delete all (config apps inline-ssl profile alias sslprofile) # starttls delete l4port 12 |
||||||||||||||||||||||||||||||||||||
profile alias <alias> url-cache miss action <decrypt | defer [timeout <1-10>] | no-decrypt> |
Specifies an action to take for the profile. This is the action to take on the traffic if GigaSMART is unable to resolve the URL category information locally. The actions are as follows:
The default is no-decrypt. Examples: (config apps inline-ssl profile alias sslprofile) # url-cache miss action decrypt (config apps inline-ssl profile alias sslprofile) # url-cache miss action defer (config apps inline-ssl profile alias sslprofile) # url-cache miss action defer timeout 5 |
||||||||||||||||||||||||||||||||||||
resumption client <enable | disable> |
Enables or disables client initiated resumption as follows:
The default is enable. Note: Use this command for debugging purposes only. For example: (config) # apps inline-ssl resumption client disable |
||||||||||||||||||||||||||||||||||||
session debug [disable | enable] |
Reserved for internal use. |
||||||||||||||||||||||||||||||||||||
signing rsa for <primary | secondary> key <key alias> |
Specifies SSL signing for RSA. For SSL certificate re-signing, there are different CAs used (primary and secondary) as follows:
Note: If decrypt is specified for invalid certificates, the primary certificate will be used for re-signing invalid certificates if the secondary certificate has not been configured.
NOTES:
Examples: (config) # apps inline-ssl signing rsa for primary key issl1-primary-ca (config) # apps inline-ssl signing rsa for secondary key issl1-secondary-ca |
||||||||||||||||||||||||||||||||||||
trust-store <fetch <append | replace> <URL for trust store file> | reset> |
Installs trusted certificate authority (CA) for server certificate validation as follows:
The supported formats for fetch are: SCP, SFTP, FTP, TFTP, HTTP. Note: A default trust store from Mozilla is included with this software version. Examples: (config) # apps inline-ssl trust-store fetch replace http://1.1.1.1/mitm/my_trust_store.pem (config) # apps inline-ssl trust-store fetch append http://1.1.1.1/mitm/my_trust_store.pem (config) # apps inline-ssl trust-store reset |
Related Commands
The following table summarizes other commands related to the apps inline-ssl command:
Task |
Command |
Displays inline SSL persistent cache entries that match the certificate common name (CN). |
# show apps inline-ssl caching certificate validation internal_ca1.com |
Displays inline SSL persistent certificate cache status, including the number of entries saved in the database. |
# show apps inline-ssl caching certificate validation status |
Displays inline SSL persistent cache entries that match URL domain name. |
# show apps inline-ssl caching url www.gigamon.com |
Displays inline SSL persistent URL cache status, including the number of records cached and the database version. |
# show apps inline-ssl caching url status |
Displays all inline SSL global parameters. |
# show apps inline-ssl global |
Displays brief information for 1000 inline SSL monitor mode sessions. |
# show apps inline-ssl monitor session any |
Displays brief information for inline SSL monitor mode sessions, based on the match. |
# show apps inline-ssl monitor session match ipv4-src 192.168.43.75/32 ipv4-dst 126.1.0.101/32 l4port-src 1124 l4port-dst 443 |
Displays inline SSL monitor mode session summary. |
# show apps inline-ssl monitor summary |
Displays a specified inline SSL profile. |
# show apps inline-ssl profile alias sslprofile |
Displays domain name entry if it is in the decrypt list. |
# show apps inline-ssl profile alias sslprofile decryptlist BadCo.com |
Displays domain name entry if it is in the no-decrypt list. |
# show apps inline-ssl profile alias sslprofile nodecryptlist GoodCo.com |
Displays all inline SSL profiles. |
# show apps inline-ssl profile all |
Displays any inline SSL session. |
# show apps inline-ssl session any |
Reserved for internal use. |
# show apps inline-ssl session debug |
Displays inline SSL sessions that match any IPv4 source IP address and mask, any IPv4 destination IP address and mask, any L4 source and destination port, and hostname. |
# show apps inline-ssl session match ipv4-src any ipv4-dst any l4port-src any l4port-dst any hostname gigamon.com |
Displays inline SSL sessions that match a specific IPv4 source IP address and mask, a specific IPv4 destination IP address and mask, any L4 source and destination port, and hostname |
# show apps inline-ssl session match ipv4-src 126.1.0.141/21 ipv4-dst 126.1.0.22/29 l4port-src any l4port-dst any hostname gigamon.com |
Displays inline SSL sessions that match a specific IPv4 source IP address and mask, destination IP address and mask, L4 source port number and L4 destination port number, and hostname. |
# show apps inline-ssl session match ipv4-src 192.168.1.1/24 ipv4-dst 192.168.1.2/24 l4port-src 56708 l4port-dst 443 hostname gigamon.com |
Displays inline SSL sessions that match a specific IPv4 source IP address and mask, destination IP address and mask, L4 source port number and L4 destination port number, and hostname in detail. |
# show apps inline-ssl session match ipv4-src 192.168.1.1/24 ipv4-dst 192.168.1.2/24 l4port-src 56708 l4port-dst 443 hostname gigamon.com detail |
Displays inline SSL sessions that match a hostname. Not all the matching criteria needs to be specified, for example, instead of gigamon.com, you can specify gigamon or gamon. |
# show apps inline-ssl session match hostname gigamon.com# show apps inline-ssl session match hostname gigamon# show apps inline-ssl session match hostname gamon |
Displays inline SSL sessions that match a hostname in detail. |
# show apps inline-ssl session match hostname gigamon.com detail |
Displays inline SSL session summary information. |
# show apps inline-ssl session summary |
Displays inline SSL trust store. |
# show apps inline-ssl trust-store all |
Displays a specified inline SSL certificate by fingerprint. The format is XX:XX:XX:XX, which is the hex representation of the first four octets of the certificate’s SHA1 fingerprint. |
# show apps inline-ssl trust-store certificate fingerprint D1:EB:23:A4 |
Deletes a specified inline SSL profile. |
(config) # no apps inline-ssl profile alias sslprofile |
Deletes all inline SSL profiles. |
(config) # no apps inline-ssl profile all |
Specifies that SSL primary and secondary certificate for RSA can be overwritten. Note: The primary and secondary signing keys are not deleted with these commands, however, after these commands are issued, a new certificate/key pair can be configured, which will overwrite the existing certificate/key pair. |
(config) # no apps inline-ssl signing rsa for primary (config) # no apps inline-ssl signing rsa for secondary |
Deletes a specified inline SSL certificate by fingerprint. |
(config) # no apps inline-ssl trust-store certificate fingerprint 8E:1C:74:F8 |
Clears the inline SSL certificate validation persistent cache. |
(config) # clear apps inline-ssl caching cert-validation |
Clears the inline SSL URL persistent cache. |
(config) # clear apps inline-ssl caching url |
Clears inline SSL session statistics summary. |
(config) # clear apps inline-ssl session summary |