Configure TLS/SSL Decryption Solutions

The Inline TLS/SSL Decryption solution can be configured based on use cases. Refer to the following topics for various use cases:

■   Configure Inline TLS/SSL Decryption Solution with Layer 2 Tools
■   Configure Inline TLS/SSL Decryption Solution with Layer 3 Tools
■   Configure Inline TLS/SSL Decryption Solution with RIA
■   Configure Entrust nShield HSM for TLS/SSL Decryption
■   Configure Thales-Luna HSM for TLS/SSL Decryption
■   Configure ICAP Client for Inline TLS/SSL Decryption Solution

Inline SSL App—Field References

These are the fields are that you will come across while configuring the Inline SSL APP. The table below provides a list and description of the attributes that define the Flexible Inline Decryption solution.

Field

Description

Alias

Enter a unique name for the flexible inline SSL APP.

Resilient Inline Arrangements

Enable this to configure a Resilient Inline Arrangement.

GS engines

Select the required GigaSMART engines.

TLS/SSL Monitor Mode

Select a TLS/SSL Monitor Mode from one of the following options:

■   Enable—When the monitor mode is enabled, the TLS/SSL decryption or encryption is off. The monitor application collects information, such as the TCP ports in use and VLAN information about the incoming traffic, and forwards the packets to the tool port or network port based on the non-TLS/SSL TCP bypass action.
■   Disable—This is the default value. When the monitor mode is disabled, the TLS/SSL decryption or encryption is on. Use this mode during the deployment stage.
■   Inline—Both monitor mode and TLS/SSL decryption or encryption are on. Use this mode to debug issues.

HSM Group

Select an HSM Group alias that you have configured from the drop-down list. Select Disable from the drop-down list to disable the HSM Group.

 Notes:
Thales-Luna Network HSM configuration is supported in Inbound, Outbound, and Hybrid deployment types.
Entrust nShield HSM configuration is supported in Inbound, Outbound, and Hybrid deployment types.

Advanced Session Statistics

Enable this option to visualize advanced Inline SSL Session dashboards, such as Session Insights and Session Table, in the Fabric Health Analytics dashboard. The basic dashboards are available by default as you configure an Inline SSL session.

Refer View Inline TLS/SSL Dashboards to know more.

Keychain Password

The keychain password must be configured before installing certificates and keys.

To add or reset the Keychain Password:

a. Click Keychain Password, and then choose either Add or Reset.
b. If you choose to reset the Keychain Password, enter a password that is 8 to 30 characters long and contains at least one numerical character, one uppercase character, one lowercase character, and one special character.
c. Select the Auto Login check box to enable GigaVUE‑FM to unlock the keystore when the device reboots.
d. Click OK to save the Keychain Password.

Add new keys

To configure a certificate-key pair:

a. Click Add new keys to open the Key page.
b. Enter a name and description for the key.
c. Select the required Key Type and File Type.
d. You can choose to include a Passphrase for the key when you select PEM or PKCS12 as File type if needed.
e. When you choose Luna-HSM, enter the Key label for the key.
f. Add the required Private Key and Certificate.
g. Click OK to save the configuration.

Deployment Type

Select one of the following deployment types:

■   Inbound—For inbound deployments, add a new Server Key Mapping. Enter the domain name or IP address of the server, and then select the required Key Pair Alias.
■   Outbound—For outbound deployments, add a primary and a secondary signing Certificate Authorities (CA).
■   Hybrid—For hybrid deployments, add a new Server Key Mapping, and a primary and a secondary signing CA.

Configurations

Default Action

Select one of the following options :

■   Decrypt—Decrypt all the traffic that is guided into the Inline SSL APP.
■   No Decrypt—Do not decrypt the traffic that is guided into the Inline SSL APP.

URL Cache Miss Action

Select one of the following options:

■   Decrypt— This option Decrypts all the traffic that is guided into the Inline SSL APP.
■   No Decrypt— This will not decrypt the traffic that is guided into the Inline SSL APP.
■   Defer—Delay the decryption until the Defer Timeout seconds provided.

Tool Fail Action

The failover action taken in response to a failure of an inline tool. Select one of the following options:

■   Bypass Tool—The traffic bypasses the failed inline tool.
■   Drop Connection—The traffic is dropped.

Tool Bypass

Select the required options:

■   Decrypted TLS/SSL Traffic—Bypasses the decrypted SSL traffic.
■   No Decrypted TLS/SSL Traffic—Bypasses the non-decrypted SSL traffic.
■   Non-TLS/SSL TCP Traffic—Bypasses the non-TLS/SSL, that is the TCP intercepted traffic.

High Availability

Select the check box to detect the link switchover by upstream device that is in active or standby mode.

Note:  Do not select this check box if the inline network links are in active state.

Network Group Multiple Entry

Select this check box to allow the traffic from different inline network to reenter GigaSMART.

Tool Early Engage

Select this check box to allow the inline tools to change the MAC address or VLAN IDs. When a connection request is received from the client, GigaSMART establishes the connection with the inline tool first, before connecting with the server. This helps the inline tools to modify the MAC address or VLAN IDs when sending the traffic back to the server.

HTTP Downgrade

HTTP 2.0 Downgrade option is enabled by default. HTTP 2.0 traffic is downgraded to HTTP 1.1 for decryption. If the downgrade option is disabled, HTTP 2.0 traffic is forwarded without decryption.

NAT/PAT mode

Enable this to perform NAT/PAT (Network/Port Address Translation) in Layer-3 inline tools .

Tool Early Inspect

Select this check box to allow the inline tool to inspect the decrypted data first before connecting to the server. This will allow the inline tool to validate the data and ensure that only valid connections are sent to the server.

 Notes:
You can access Tool Early Inspect feature from the flex Inline SSL APP only. Tool Early Inspect cannot co-exist with features such as RIA, NAT/PAT mode, Tool Early Engage, One-Arm, and Decryption Port Mapping.
If Tool Early Inspect is enabled, you can configure the connections timeout value. Connection timeout represents the time by which the tool should respond after receiving the first decrypted data. If no response is received within the configured time interval, the connections will be reset.

StartTLS Port

Enter the required SSL/TLS ports.

MTU

The Maximum Transmission Unit (MTU) is the maximum size of each packet that can be transferred as a single entity in a network connection.

Session Logging

Session Logging

Select the Enable check box to log the Inline TLS/SSL session related information to a remote server.

IP Version

Select IPV4 or IPV6 as the IP Version for the Session Logging server. You can select one session logging configuration per GigaSMART group.

Remote Syslog Server IP

Enter the IP address of the remote syslog server.

Associated IP Interface

In the Associated IP interface drop-down list, select the IP interface that you assigned to the GigaSMART group.

Remote Syslog Port Number

Enter the port number of the remote syslog server.

Log Level

In the Log Level drop-down list, select the severity log level of the events that you want to send to the inline TLS/SSL session logging server.

Traffic Path

Single VLAN Tag

Enable the check box to deploy flexible inline TLS/SSL solution with a single VLAN tag. If an inline tool is involved in an inline TLS/SSL map, the inline tool can be supported across multiple maps with different single VLAN tags.

Note:  Deploying a flexible Inline SSL solution with SVT is optional, and you can choose to enable or disable the Single VLAN Tag option. If you choose to enable the Single VLAN Tag option in the iSSL solution, you should also enable the Single VLAN Tag configuration in the flex map deployed in that solution.

Note:  If you enable the Single VLAN tag option in the Flexible Inline SSL solution, you should also enable the Single VLAN Tag configuration in the inline-ssl app profile deployed in the solution

Tool Side VLAN Tag

Enter the required tool side VLAN tag for the inline network.

TPID

Select the TPID for the Tool Side VLAN Tag. The default value of TPID is 0x8100. You can select the other supported values 0x9100 and 0x88a8 from the drop-down list.

Traffic Path

Select one of the following options:

■   Drop—Traffic is dropped at the virtual port.
■   Bypass—Traffic bypasses the virtual port.
■   Monitoring—Traffic is fed to the virtual port and absorbed, while a copy of the traffic is sent to the next inline tool in the sequence. Traffic returned from side B of the network is also absorbed at the virtual port in the monitoring mode.

Note:  You can select the Monitoring option only if you have set the SSL Monitor Mode to either Enable or Inline.

■   To Inline Tool—Traffic is forwarded to the inline tool. This is the default value.

Inline Failover Action

Select one of the following options:

■   Virtual port bypass—All virtual ports configured as the source of any map that triggered this failover action, will be put in the bypass mode, that is all traffic will bypass the virtual port and will be guided to the inline tool or inline tool group.
■   Virtual port drop—All virtual ports configured as the source of any map that triggered this failover action, will be put in the drop mode, that is all traffic will be dropped at the virtual port.
■   Network bypass—All inline networks configured as the source of any map involving the inline tool or inline tool group that triggered this failover action, will be put in the bypass mode, that is, all traffic coming to side A will be directed to side B and vice versa.
■   Network drop—All inline networks configured as the source of any map involving the inline tool or inline tool group that triggered this failover action, will be put in the drop mode, that is, all traffic coming to side A or side B will be dropped.
■   Network port forced down—For all inline networks configured as the source of any map involving the inline tool or inline tool group that triggered this failover action, the inline network ports will be brought down.

Security Exceptions

You can choose to either decrypt or drop the traffic for the following certificates:

■   Self-signed certificate
■   Unknown CA certificate
■   Invalid certificate
■   Expired certificate

You can also choose to configure the security exceptions for certificate revocation validation based on OCSP or CRL on an inline decryption profile. Select one of the following options:

■   Soft Fail—If you select this option, the client browser displays the secondary MitM certificate and the inline decryption session stats in GigaVUE‑FM displays as Decrypt.
■   Hard Fail—If you select this option, the client browser displays the certificate from DigiCert and the inline decryption session stats in GigaVUE‑FM displays as Bypass: Unknown Revocation.

No-decrypt list/Decrypt list

Select the following check boxes:

No-decrypt list—Allows traffic from certain classes such as sites, domains, host-based IP address and IP subnets (decision based on LPM) to bypass decryption.
Decrypt list—Allows traffic from certain sites, domains, host-based IP address and IP subnets (decision based on LPM) to always be decrypted.

Select from the below operations that can be performed on an uploaded list:

Append _ This would add to the uploaded list.
Replace- This would remove the previously added list and add a new list. This option is supported only on Generation 3 cards.
Clear- This would completely clear the list.
Download - This would download the list that has been uploaded.

If you select Append/Replace, you can enter the list using any of the following options:

• Copy and Paste

• Install from URL

• Install from Local Directory

Policy Rules

Add the required policy rules for the inline decryption profile.

Click Add a Rule. In the Condition field, Select one of the following options from the drop-down list:

■   Category
■   Domain
■   IPv4 Destination
■   IPv4 Source
■   IPv6 Destination
■   IPv6 Source
■   L4 Port Destination
■   L4 Port Source
■   VLAN
■   X509 Certificate Issuer Name

Select one of the following options:

■   Decrypt—Decrypt all the traffic that is guided into the Inline SSL APP.
■   Decrypt—Do not decrypt the traffic that is guided into the Inline SSL APP.

Network Access

Network access configuration is used to get URL categorization updates

To configure the network access for the GigaSMART engine ports:

o Select either DHCP or IP Address as the network access configuration mode.
o If you select IP Address as the mode, enter the IP Address, Netmask, Gateway, DNS, MTU, and VLAN.
■   DNS or Split DNS- Configure either a default single DNS server or a Split DNS Server. If you want to attach Split DNS server profile to your Inline SSL deployment choose a Split DNS server from the drop-down. To configure a new Split DNS Profile, click on Create new Split DNS.
o Select either Eth2 or Eth3 as the Interface.
o If you want to attach a Proxy profile to your Inline SSL deployment select a Proxy Server Profile from the drop-down. To configure a new Proxy Server Profile, click on Create new Proxy.
 Notes:
The Eth3 option is available only for GigaVUE‑HC3 devices.
IP Address configuration mode details should be entered when you select Luna HSM configuration from the HSM Group drop down.
If your Proxy Server profile is associated with an Inline SSL application, choose 'None' in the Proxy Server profile field on the Inline SSL configuration page to disconnect the proxy server profile prior to deleting the profile.
You cannot enable Gen 2 and Gen 3 GigaSMART engine for network access simultaneously.

Decryption Port Mapping

The TCP destination port for decrypted traffic sent to inline tools can be configured as part of the inline decryption profile. Configure the required Priority 1 map, which is user configurable and Priority 2 map, which is the default out port.

Trust Store

The trust store contains a trusted certificate authority (CA) for server validation. You can choose to either append or replace the trust store.

TCP Settings

Configure the required TCP settings as follows:

TCP Inactive Timeout— TCP Inactive session timeout in minutes.
TCP Delayed ACKGigaSMART Inline TLS/SSL decryption ACKs every TCP packet by default. If TCP Delayed ACK is enabled, then GigaSMART decryption will wait for 100ms or ACK every third packet – whichever comes first.
TCP SYN Retries—number of retries made by the MitM to initiate a session with the destination server. If a SYN/ACK response isn't received from the destination server on initial TCP SYN, GigaSMART attempts for additional number of TCP SYN Retries as defined by the user.
TCP TIMEWAIT Timeout— Configure the 'TCP TIMEWAIT' timeout value from 0-300 seconds. The default value is 30 seconds. The TCP connection in the TIME_WAIT state gets deleted after the timeout period.

Split-Proxy Settings

Split-Proxy

Select the check box to enable the split proxy settings for the inline decryption solution. The TLS connection between the server and client is divided into two independent connections, and the security parameters are kept separate.

Non-PFS Ciphers (Server)

Select the check box to enable the non-PFS ciphers settings for the inline decryption solution that has the split proxy settings enabled. This setting is to indirectly force the server to use protocols that are lower than TLS 1.3 with non-PFS ciphers. This means that the ciphers with DHE/ECDHE key-exchange will not be used on the server side.

Miscellaneous (Global Settings)

SSL/TLS Version

Select the minimum and maximum SSL/TLS version.

Connection Reset Action

Select one of the following options for the minimum SSL/TLS version:

■   Drop—Closes all sessions that are below the minimum SSL/TLS version specified. This ensures that the network is safe from weak TLS/SSL connections. This is the default option.
■   No Decrypt—Bypasses all sessions that are below the minimum SSL/TLS version specified.

Select one of the following options for the maximum SSL/TLS version:

■   No Decrypt—Bypasses all sessions that are above the maximum SSL/TLS version specified. This is the default option.
■   Drop—Closes all sessions that are above the maximum SSL/TLS version specified.

Caching persistence

Select this check box to allow the information to be saved on the node in the control card’s persistent storage so that it can be retrieved in case of reboots.

DHE Cipher Suites

Enable this use DHE Cipher suites.