Configure Inline TLS/SSL Decryption Using GigaVUE‑FM

To configure inline TLS/SSL decryption:

1. Access the workflow
   1. Go to Physical Nodes and select a GigaVUE‑HC1, GigaVUE‑HC2, or GigaVUE‑HC3.
2. Complete the Configure Inline TLS/SSL Decryption Using GigaVUE‑FM.
3. Complete the Inline TLS/SSL Map Workflow Steps (for Flow B) .
4. After completing the set-up workflows, verify Your Maps.
   1. Click To Maps to verify the maps created by the workflow.
   2. For inline network ports, go to Inline Bypass > Inline Networks. Select the inline network port and click Edit from the Actions drop-down menu. Under Configuration, select a traffic path of To Inline Tool. If using protected inline networks, disable Physical Bypass.
   3. Click Apply.

1. On the left navigation pane, click , and then select Physical > Nodes.

2. In the Physical Nodes page, select the node for which you want to create the Key Store password. Go to GigaSMART>Inline SSL >Key Store.

3. Set Up Keychain Password
   1. Click Keychain Password from the Actions drop-down menu.

   2. Enter a password in the Password field.

      You can only configure a strong password. A strong password should include at least eight (8) or more characters (up to 64) and include the following:

      o

      one uppercase letter

      o

      one lowercase letter

      o

      one numerical character

      o

      one special character

   3. Enable the Auto login check box to let GigaVUE-FM unlock the key store when the node reboots
   4. Click Save. The keychain password is setup.
4. Set Up the Key Pairs
   1. Add a New key pair:
      1. Click New to configure the primary signing certificate and private key. The primary CA re-signs certificates for servers that present a valid certificate.
      2. Enter an Key Alias for the Key Pair. Click RSA or ECDSA for Key Type. Click PEM or PKCS12 for Type.

      3. (optional) For Passphrase, enter a passphrase for the key.

      4. Select a Private Key by pasting the copied key in PEM format or installing from URL or installing from local directory.

      5. Select a Certificate by pasting the copied key in PEM format or installing from URL or installing from local directory.

      6. Click OK. The Primary Key Pair is added and can be selected from the Key Store page.
   2. Still under Key Store, repeat the "Add a key pair" steps to configure the secondary signing certificate and private key.
5. Set up the Signing Certificate Authority (CA)
1. The next step is to configure Signing CA. Click Signing CA from the Inline SSL page.
2. Click Add and map each of the key pairs installed to the Primary Root CA and Secondary Root CA.
3. Click OK to confirm the changes. The signing CA is configured.
6. Set Up the Trust Store (optional)
   1. The next step is to configure the Trust Store.
   2. Click Trust Store from the Inline SSL page.
   3. No configuration is required if you use the default Trust Store by selecting Reset to Default from the Actions menu.
7. Set Up the inline SSL Policy Profile
   1. The next step is to set up Inline SSL Profile.
   2. Click SSL Profiles from the Inline SSL page.
   3. Click New to configure an inline TLS/SSL profile. The profile specifies policy configuration, such as certificate handling and actions to take for the profile.
   4. Enter an alias for the profile. Under Policy Configuration, select a Default Action of Decrypt. Under Security Exceptions, select Decrypt or Drop.
   5. Under No-decrypt list/Decrypt list, enable the No-decrypt list and Decrypt list checkbox. Enter the paths to the files.
   6. Under Policy Rules, click Add a Rule.
      1. Select Category from the Rule drop-down (under condition) menu. Select financial_services from the Category drop-down menu. Add another rule.
      2. Select Category from the Rule drop-down menu. Select health_and_medicine from the Category drop-down menu. Add another rule.
      3. Select Domain from the Rule drop-down menu. Enter youtube.com in Value text box for the Domain. Click Apply.
      4. The inline TLS/SSL profile is added. For details about the Inline TLS/SSL Policy Profile fields and their descriptions, refer to Inline TLS/SSL Policy Profile—Field References.
8. Set Up Network Access
   1. The next step is to set up Network Access.
   2. Click Network Access from the Inline SSL page.
   3. Select DHCP and DHCP Enabled for a specified GigaSMART module.
   4. Click OK. The network access is configured.

Note:  To verify the Network Access configuration, you can do the Ping Test as follows:

1. Navigate to GigaSMART > Inline SSL > Network Access.
2. In the Inline SSL Network Access window, on the Ping Test section, enter or select the GigaSMART Port and IP Address/Host Name.
3. Click Ping to run the ping test. The test results appears in the Ping Result box.

Next, complete the Inline TLS/SSL Map Workflow Steps (for Flow B)

Inline TLS/SSL Policy Profile—Field References

The following table lists and describes the attributes that define the Inline TLS/SSL Policy Profile.

Field	Description
Alias	Enter a unique name for the flexible inline SSL APP.
Policy Configuration
SSL Monitor Mode	Select an SSL Monitor Mode from one of the following options: ■   Enable—When the monitor mode is enabled, the SSL decryption or encryption is off. The monitor application collects information such as the TCP ports that are in use and VLAN information about the incoming traffic, and forwards the packets to the tool port or network port based on the non-SSL TCP bypass action. ■   Disable—This is the default value. When the monitor mode is disabled, the SSL decryption or encryption is on. Use this mode during the deployment stage. ■   Inline—Both monitor mode and SSL decryption or encryption is on. Use this mode to debug issues. Refer to Inline TLS/SSL Monitor Mode for details.
Default Action	Select one of the following option: ■   Decrypt—Decrypt all the traffic that is guided into the Inline SSL APP. ■   No Decrypt—Do not decrypt the traffic that is guided into the Inline SSL APP.
URL Cache Miss Action	Select one of the following options: ■   Decrypt—Decrypt all the traffic that is guided into the Inline SSL APP. ■   No Decrypt—Do not decrypt the traffic that is guided into the Inline SSL APP. ■   Defer—Delay the decryption until the Defer Timeout seconds provided.
Tool Fail Action	The failover action taken in response to a failure of an inline tool. Select one of the following options: ■   Bypass Tool—The traffic bypasses the failed inline tool. ■   Drop Connection—The traffic is dropped.
Decrypt Tool bypass	Bypasses the decrypted TLS/SSL traffic.
No Decrypt Tool bypass	Bypasses the non-decrypted TLS/SSL traffic.
Non-SSL TCP Traffic Tool bypass	Bypasses the non-TLS/SSL, that is the TCP intercepted traffic.
High Availability	Select the check box to detect the link switchover by upstream device that is in active or standby mode. Note:  Do not select this check box if the inline network links are in active state. Refer to High Availability Active Standby for details.
Network Group Multiple Entry	Select this check box to allow the traffic from different inline network to reenter GigaSMART. Refer to Inline Network Group Multiple Entry for details.
Tool Early Engage	Select this check box to allow the inline tools to change the MAC address or VLAN IDs. When a connection request is received from the client, GigaSMART establishes the connection with the inline tool first, before connecting with the server. This helps the inline tools to modify the MAC address or VLAN IDs when sending the traffic back to the server. Refer to Tool Early Engage for additional information and limitations.
One-Arm Mode	Select this check box to have both the client and server traffic travel through the same physical link or logical aggregate port channel. Refer to Tool Early Engage for additional information and limitations. Note:  You can enable the One-Arm mode only if you have enabled the Tool Early Engage option.
StartTLS Port	Enter the required SSL/TLS ports. Refer to StartTLS and HTTP CONNECT for details.
Security Exceptions	You can choose to either decrypt or drop the traffic for the following certificates: ■   Self-signed certificate ■   Unknown CA certificate ■   Invalid certificate ■   Expired certificate You can also choose to configure the security exceptions for certificate revocation validation based on OCSP or CRL on inline decryption profile. Select one of the following options: ■   Soft Fail—If you select this option, the client browser displays the secondary MitM certificate and the inline decryption session stats in GigaVUE‑FM displays as Decrypt. ■   Hard Fail—If you select this option, the client browser displays the certificate from DigiCert and the inline decryption session stats in GigaVUE‑FM displays as Bypass: Unknown Revocation. Refer to Certificate Revocation List (CRL), Online Certificate Status Protocol (OCSP), CRL and OCSP, and Checking Certificate Revocation Status for details.
No-decrypt list/Decrypt list	Select the following check boxes: ■   No-decrypt list—Allows traffic from certain classes such as sites, domains, host-based IP address and IP subnets (decision based on LPM) to bypass decryption. ■   Decrypt list—Allows traffic from certain sites, domains, host-based IP address and IP subnets (decision based on LPM) to always be decrypted. To update/append, download the existing whitelist/blacklist text file from GigaVUE-FMFM, add new entries, and upload. This will not remove the existing entries in the list. To replace the entire list, download the existing whitelist/blacklist text file from GigaVUE-FM, retain a copy, clear the list and upload a new whitelist/blacklist. Refer to No-decrypt Listing Policy and Decrypt Listing Policy for details.
Policy Rules	Add the required policy rules for the inline decryption profile.
TCP Port Map Decryption	The TCP destination port for decrypted traffic sent to inline tools can be configured as part of the inline decryption profile. Configure the required Priority 1 map, which is user configurable and Priority 2 map, which is the default out port. Refer to Inline TLS/SSL Decryption Port Map for details.
TCP Settings	Configure the required TCP settings as follows: ● TCP Inactive Timeout—TCP Inactive session timeout in minutes ● TCP Delayed ACK—GigaSMART Inline TLS/SSL decryption ACKs every TCP packet by default. If TCP Delayed ACK is enabled, then GigaSMART decryption will wait for 100ms or ACK every third packet – whichever comes first. ● TCP SYN Retries—number of retries made by the MitM to initiate a session with the destination server. If a SYN/ACK response isn't received from the destination server on initial TCP SYN, GigaSMART attempts for additional number of TCP SYN Retries as defined by the user.
Server Key Map	A server key map binds a server with a key pair alias.
Split-Proxy Settings
Split-Proxy	Select the check box to enable the split proxy settings for the inline decryption solution. The TLS connection between the server and client is divided into two independent connections and the security parameters are kept separate.
Non-PFS Ciphers (Server)	Select the check box to enable the non-PFS ciphers settings for the inline decryption solution that has the split proxy settings enabled. This setting is to indirectly force the server to use protocols that are lower than TLS1.3 with non-PFS ciphers. This means that the ciphers with DHE/ECDHE key-exchange will not be used on the server side.

1. After completing the Configure Inline TLS/SSL Decryption Using GigaVUE‑FM, go to Workflows and select Inline SSL Map from the Inline GigaSMART Operations section.
2. Set Up Inline Networks
   1. Select FLOW B.
   2. The first step in the Workflow is Inline Network(s). Select a default inline network from the Inline Network(s) drop-down menu. This is a protected inline network.
3. Set Up Inline Tools
   1. Click Next. The next step in the Workflow is Inline Tool(s).
   2. Click Create Inline Tool. Then click Port Editor. In the Quick Port Editor, locate ports and select Type of Inline Tool from the drop-down menu. Click Enable for those ports.
   3. Click OK. The inline tool port is added. Click Close to exit the Quick Port Editor.
   4. Still under Inline Tool(s), enter an alias for the inline tool. Select Port A and Port B from the drop-down menus for the inline tool port pair. Under Configuration, ensure that Inline tool sharing mode is selected. Under Heartbeats, select Enable Regular Heartbeat.
   5. Click OK. The inline tool is configured.
4. Create GigaSMART Group
   1. Click Next. The next step in the Workflow is GS Group. Click Create to configure a GigaSMART group and associate it with a GigaSMART engine port. Enter an alias for the GigaSMART group and select a GigaSMART engine port from the Port List.
   2. Click OK. The GigaSMART group is added.

   3. Note:  You should always allow a maximum of 3 minutes time gap when you delete and recreate a gsgroup through GigaVUE-FM.

5. Set Up the Virtual Port
   1. Click Next. The next step in the Workflow is Virtual Port. Click Create to configure a virtual port.
   2. You cannot add multiple vports on the same gsgroup.
   3. Enter an alias for the virtual port, select the previously configured GigaSMART group, then select an Inline Failover Action.
   4. Click OK. The virtual port is added.
6. Set Up the GigaSMART Operation
   1. Click Next. The next step in the Workflow is GS Operation. Click Create to configure a GigaSMART operation.
   2. Enter an alias for the GigaSMART operation, select the previously configured GigaSMART group, select Inline SSL as the GigaSMART Operation (GSOP), then select the previously configured Inline SSL profile.
   3. Click OK. The GigaSMART operation is added.
7. Set Up the Inline Rule-Based Map
   1. Click Next. The next step in the Workflow is Inline Rule Based Map.
   2. Configure the inline rule-based map. This map directs traffic from the inline network to the inline tool, using a specified rule. It has the same source port as the inline first level map and the same destination port as the inline second level map. Enter an alias for the map, and select the map Type (Inline) and Subtype (By Rule), select the source inline network and the destination inline tool.
   3. Click Add a Rule to specify a map rule. Click Bi-directional, select IPv4 Protocol from the Rule drop-down menu, and select TCP from the Protocol drop-down menu. Select Port Destination from the Rule drop-down menu and enter 80 in the text box for Min.
   4. Click OK. The map is added.
8. Set Up the Inline First-Level Map
   1. Click Next. The next step in the Workflow is Inline First Level Map.
   2. Configure the inline first level map. This map directs TCP traffic from the inline network to a virtual port (and to GigaSMART). Enter an alias for the map, and select the map Type (Inline First Level) and Subtype (Ingress to Virtual Port). Under Map Source and Destination, select the inline network as the source and the virtual port as the destination. Under Map Rules, click Add a Rule. Select IPv4 Protocol from the Rule drop-down menu, and select TCP from the Protocol drop-down menu.
   3. Click OK. The map is added.
9. Set Up the Inline Second-Level Map
   1. Click Next. The next step in the Workflow is Inline Second Level Map.
   2. Configure the next map, which is the inline second level map. This map directs traffic from the virtual port, uses the inline TLS/SSL GigaSMART operation, and sends traffic to the inline tool. Enter an alias for the map and select the map Type (Inline Second Level) and Subtype (Egress from Virtual Port). Under Map Source and Destination, select the virtual port as the source and the inline tool as the destination, then select the inline SSL GigaSMART operation.
   3. Click OK. The map is added.
10. Set Up the Collector Map
    1. Click Next. The next step in the Workflow is Collector Map (bypass).
    2. Configure a collector map for any unmatched traffic including non-TCP traffic, which is directed to bypass. Enter an alias for the map, and select the map Type (Inline) and Subtype (Collector), then select a Traffic Path of ByPass. Under Map Source and Destination, select the inline network as the source.
    3. Click OK. The map is added.