Configure Inline TLS/SSL Decryption Solution with Layer 2 Tools

This section describes how to configure and deploy an Inline TLS/SSL Decryption solution using Layer 2 tools.

Prerequisites

■

A configured and reachable GigaSMART engine on the selected device to host the Inline SSL app.

■

Configure and unlock the Keychain Password in GigaVUE-FM to access the keystore; optionally enable Auto Login for unattended restarts.

■

Prepare required keys and certificates for your deployment direction:

o

Inbound: server private key(s) and corresponding certificate(s).

o

Outbound/Hybrid: appropriate CA/certificate chain for re-signing or policy-based decryption.

■

Keep key types and file formats (PEM/PKCS12/Luna-HSM) and any passphrases ready.

■

Decide the deployment type you will use (Inbound, Outbound, or Hybrid) so the Inline SSL app can be configured accordingly.

■

Plan the software constructs you will create during configuration: at minimum, an Inline Network and an Inline Tool to connect your Layer 2 (transparent) inspection device(s). Ensure the required ports are identified and available.

■

Ensure your connected tools can operate in Layer 2 transparent mode (inspect decrypted traffic without altering packet contents)

Access Flexible Inline Canvas

1.

Go to > Physical > Orchestrated Flows > Inline Flows > Configuration Canvas to create a new Flexible Inline Canvas.

2.

In the displayed Flexible Inline Canvas, select the device where you want to configure the TLS/SSL decryption.

Configure Inline Network

1.

On the left pane, click the ‘+’ icon next to Inline Network option to create a new entry.

2.

Enter a name and description for the inline network in the Alias and Description fields. Then, click Port Editor.

3.

In the Alias and Description fields, enter a name and description for the inline network.

4.

Click Port Editor. In the Quick Port Editor, scroll down to the inline network ports that you want to configure. Select Enable to administratively enable inline network ports, and click OK to apply the changes.

5.

From the Port A and Port B drop-down lists, select the ports that you want to configure as the inline network pair.

6.

From the Traffic Path drop-down list, select To Inline Tool.

o

To Inline Tool—All traffic originating from the inline network is directed to the sequence of inline tools and inline tool groups and is guided through the inline tools and inline tool groups according to the current inline tool and inline tool group status.

7.

Click OK. You have successfully created an Inline Network.

To explore additional options during configuration, refer to Inline Network Ports and Inline Network.

Note:  If there are multiple Inline Network Ports, you can configure Inline Network bundle. Refer to Configure Inline Network Bundle.

Configure Inline Tool

1.

On the left pane, click the ‘+’ icon next to the Inline Tool option to create a new inline tool.

2.

In the Properties pane, in the Alias and Description fields, enter a name and description for the inline tool.

3.

From the Type drop-down list, select one of the following options:

o

External- To configure a third-party tool.

o

GigaVUE Node- To configure a GigaVUE node as a tool.

4.

Click Port Editor. In the Quick Port Editor, scroll down to the inline tool ports that you want to configure. Select Enable to administratively enable the inline tool ports, and then click OK to apply the changes.

5.

From the Port A and Port B drop-down lists, select the inline tool ports according to the direction the inline tool expects traffic from the network.

6.

Verify that the Enabled check box is selected.

7.

Click OK. You have successfully created an Inline Network.

To explore additional options during configuration, refer to Inline Tool Ports and Inline Tools.

Create an Inline SSL APP

1.

On the left pane, click the ‘+’ icon next to the Inline SSL APP option.

2.

Enter a name for the Inline SSL APP and select the required GigaSMART engines.

3.

In the Alias field, enter a name for the Inline SSL APP.

4.

From the GigaSMART Engine drop-down list, select the required engine.

5.

Under Deployment Type, set up Key chain Password:

a.

Click Keychain Password, and choose either Add or Reset.

b.

If you choose to reset the Keychain Password, enter a password that is 8 to 30 characters long and contains at least one numerical character, one uppercase character, one lowercase character, and one special character.

c.

Select the Auto Login check box to enable GigaVUE-FM to unlock the keystore when the device reboots.

d.

Click OK to save the Key chain Password.

6.

Configure Keys and Certificates. A key in an inbound deployment can be selected only for decryption or for re-signing and re-encryption in an outbound deployment.

a.

Click Add Keys to open the Key page.

b.

Enter a name and description for the key.

c.

Select the required Key Type and File Type.

d.

If using PEM or PKCS12 as file type, optionally include a passphrase.

e.

You can choose to include a Passphrase for the key when you select PEM or PKCS12 as file type if required.

f.

When you choose Luna-HSM, enter the Key label for the key.

g.

Add the required Private Key and Certificate.

h.

Click OK to save the configuration.

7.

Select the required deployment type.

o

Outbound - Add the configured primary and a secondary signing Certificate Authorities (CA).

o

Inbound - Add a new Server Key Mapping. Enter the domain name or IP address of the server, and select the required Key Pair Alias.

o

Hybrid - Add a new Server Key Mapping, and a primary and a secondary signing CA.

8.

Click OK to save the configuration.

Deploy Inline TLS/SSL Decryption Solution

In the Flexible Inline Canvas:

1.

Drag and drop the required inline network or inline network bundle.

2.

Drag and drop the flexible inline map into the canvas. The Properties pane opens automatically. If configuration is needed, provide values for the following fields:

•

In the Alias and Description fields, enter the name and description of the inline map.

•

Enter the Tool Side VLAN Tag for the inline network for which you are configuring the map.

•

Select the TPID for the Tool Side VLAN Tag. The default value of TPID is 0x8100. You can select the other supported values 0x9100 and 0x88a8 from the drop-down list.

•

Add the required rules for the inline map, and click OK to save the configuration.

3.

Drag and drop the Inline SSL APP.

4.

Drag and drop the required inline tools or inline tool group.

5.

Drag and drop the OOB Copy, if required.

6.

Click Deploy, and choose the Traffic Path—either Logical Bypass or Keep as is. Select the option that best suits your deployment needs, and click OK.

Verify the Solution

In GigaVUE‑FM, open the Flexible Inline Canvas: Physical > Orchestrated Flows > Inline Flows > Configuration Canvas, select the target device, and open the deployed solution on the canvas. Confirm the solution shows as deployed.

What to Do Next

After deployment, you can view the Monitor and Session statistics. Refer to View Inline TLS-SSL Session Statistics. You can also view the Inline TLS/SSL Dashboards. Refer to View Inline TLS/SSL Dashboards.