Configure Flexible Inline TLS/SSL Decryption Solution

Refer to the following sections that provide details about the flexible inline decryption solution and instructions on how to configure it:

■   Flexible Inline TLS/SSL Decryption Solution
■   Benefits of Flexible Inline TLS/SSL Decryption Solution
■   Flexible Inline TLS/SSL Decryption Solution—Rules and Notes
■   Configure Flexible Inline TLS/SSL Decryption Solution

Flexible Inline TLS/SSL Decryption Solution

The flexible inline TLS/SSL decryption solution combines the flexible inline arrangements feature with the inline TLS/SSL decryption solution. It includes the GigaSMART-based packet processing, which is the inline TLS/SSL decryption functionality into the flexible inline arrangements framework. In the flexible inline TLS/SSL decryption solution, the outer maps guide the inline traffic to GigaSMART for preprocessing. The inner map guides the traffic processed by GigaSMART through a user-defined sequence of inline tools and inline tool groups.

1 illustrates an example of how the inline TLS/SSL decryption functionality is incorporated in the flexible inline arrangements framework to form the flexible inline decryption solution.

 

1 Flexible Inline Decryption Solution

In this example, the HTTP Port Destination:80 traffic is guided through the Flexible inline map, Rule Map2 to the sequence of inline tools, Inline Tool 1 and Inline Tool 2. The TCP traffic is encrypted and guided through Rule Map1 to GigaSMART, where it is decrypted and guided to Inline Tool 2 and Inline Tool 3. The decrypted traffic is guided back to GigaSMART, and then it is re-encrypted and routed to the network. Here, the Rule Map 1 is the outer map, which guides the traffic to GigaSMART for preprocessing. The inner map guides the traffic processed by GigaSMART through a series of inline tools or inline tool groups.

The rest of the traffic is guided through the Collector Map to a series of inline tools, and then to the network.

2 illustrates the different maps that guide the traffic in the flexible inline TLS/SSL decryption solution.

The outer maps are similar to the flexible inline maps but include virtual port alias along with inline tools and inline tool groups as the destination port. The same virtual port alias can be used in multiple outer maps.

Depending on the flexible inline TLS/SSL decryption solution that you create, there may be two types of inner maps:

■   Inner Proxy Maps, which guides the traffic from GigaSMART to the inline tools or inline tool groups.
■   Inner Non-proxy Maps or Network-end Maps, which guide the traffic that is bypassed from GigaSMART to the inline tools or inline tool groups.

 

2 Flexible Inline Decryption Maps

Benefits of Flexible Inline TLS/SSL Decryption Solution

The flexible inline TLS/SSL decryption solution incorporates the inline TLS/SSL decryption with the flexible inline arrangement and offers the following benefits:

■   Enables you to perform the inline decryption configuration, required map deployments, and flexible inline flow configurations, all in one canvas.
■   Shares the same inline tool or inline tool group across multiple inline network links and across multiple inline maps. Refer to 3 Flexible Inline TLS/SSL APP—Deployed.
■   Allows you to tap OOB copies of decrypted traffic from GigaSMART, either before or after the inspection of security tools. Refer to 3 Flexible Inline TLS/SSL APP—Deployed.
■   Allows you to selectively decrypt and guide traffic to the attached inline tools or inline tool groups.

Flexible Inline TLS/SSL Decryption Solution—Rules and Notes

Keep in mind the following rules and notes when working with flexible inline decryption solution:

■   When you want to migrate from the inline decryption to the flexible inline decryption solution,
o   ensure that you delete all the inline decryption virtual ports, GigaSMART, and maps configurations, and then reconfigure them using the flexible inline canvas. However, if there are OOB maps from the inline network ports, before you delete the OOB maps, ensure that the Traffic Path for the inline network is not set to ‘Bypass’.
o   It is recommended to delete the OOB map from vPort before deleting other maps. If the OOB map from the vPort is not deleted while deleting all the inline TLS/SSL maps, then GigaVUE‑FM throws an error on first time. You need to click Delete All again to delete all the maps.
o   Modifying the VLAN settings on an out-of-band map is not allowed if another out-of-band map has the same port as destination.
■   When there is a multiple tool failover across the inner and outer maps; and if any of the tool comes up, the traffic in the inline network does not flow as expected.
■   If you want to switchover from the flexible inline decryption solution to the inline decryption solution, you must delete the flexible inline SSL APP, and then reconfigure the ports, GigaSMART, and maps using the inline decryption workflow.
■   When you configure the flexible inline decryption solution using GigaVUE-FM, the keychain password will be unlocked automatically when the device participating in the solution reboots.
■   If an inline TLS/SSL profile is used across multiple map configurations with different inline network pairs, the tool set used across the maps is also the same. Consider the following example:
■   Flexible Inline Map 1 with inline network pair 1 uses inline TLS/SSL Profile 1 with tools A and B.
■   Flexible Inline Map 2 with inline network pair 2 also uses inline TLS/SSL Profile 1. This map also has tools A and B (filled in automatically). You cannot configure this as A or C or A, C.
■   The following combinations are not supported:
o   Flexible Inline TLS/SSL Decryption
o   Inline Network LAG

When you attempt to add an Inline SSL App to an Inline Network LAG Flexible Map you get the following error message: "An Inline SSL APP cannot be used when the traffic source is an inline network LAG" as shown in below figure.

 

■   For the Flexible Inline TLS/SSL Maps, tag of the outer map cannot be edited in the configuration canvas. To change the tag, follow these steps:
a. delete the map
b. deploy the solution
c. re-add the map with the updated tag and deploy the solution again.
■   Traffic is not decrypted when inline-network traffic path is in monitor mode.
■   Setting the Flex Traffic Path of inner chain Inline-tools as “Drop” does not drop the Inline TLS/SSL traffic and continues to reach the Inline network egress.
■   When you deploy GigaSMARTTLS/SSL Decryption inline, it may cause users to experience up to a 50% reduction in speed test throughput.

Configure Flexible Inline TLS/SSL Decryption Solution

Following are the prerequisites that you must complete before you configure the flexible inline decryption solution:

■   Configure the required inline networks or inline network bundle. Refer to Configure Inline Network Ports and Inline Network or Configure Inline Network Bundle.
■   Configure the required inline tools. Refer to Configure Inline Tool Ports and Inline Tools.
■   Configure the required inline tool group. Refer to Configure Inline Tool Group.
■   Ensure that there are no inline decryption configurations such as inline decryption policy, inline decryption virtual port, GigaSMART group, GigaSMART operations, or inline decryption map configured on the device.

To configure a flexible inline decryption solution:

1.   On the left navigation pane, go to Physical > Orchestrated Flows > Inline Flows, and then click Configuration Canvas to create a new Flexible Inline Canvas.
2. In the Flexible Inline Canvas that appears, select the required device for which you want to configure the flexible inline decryption solution.
3. Click the ‘+’ icon next to the Inline SSL APP option to create a new flexible inline decryption solution.
4. In the Inline SSL APP page that appears, enter a name for the Inline SSL APP, and then complete the required fields. Refer Inline SSL App—Field References for details.
5. Click OK to save the configurations.
6. Drag and drop the required inline network or inline network bundle in to the flexible inline canvas.
7. Drag and drop the flexible inline map into the canvas.
8. In the Properties pane, in the Alias and Description fields, enter the name and description of the inline map.
9. Enter the Tool Side VLAN Tag for the inline network for which you are configuring the map.
10. Select the TPID for the Tool Side VLAN Tag. The default value of TPID is 0x8100. You can select the other supported values 0x9100 and 0x88a8 from the drop-down list.
11. Add the required rules for the inline map, and then click OK to save the configuration.
12. Drag and drop the Inline SSL APP into the canvas.
13. Drag and drop the required inline tools or inline tool group into the canvas.
14. Drag and drop the OOB Copy into the canvas, if required.
15. Click Deploy.

 

3 Flexible Inline TLS/SSL APP—Deployed

Inline SSL App—Field References

The following table lists and describes the attributes that define the flexible inline decryption solution.

Field

Description

Alias

Enter a unique name for the flexible inline SSL APP.

GS engines

Select the required GigaSMART engines.

TLS/SSL Monitor Mode

Select an TLS/SSL Monitor Mode from one of the following options:

■   Enable—When the monitor mode is enabled, the TLS/SSL decryption or encryption is off. The monitor application collects information such as the TCP ports that are in use and VLAN information about the incoming traffic, and forwards the packets to the tool port or network port based on the non-TLS/SSL TCP bypass action.
■   Disable—This is the default value. When the monitor mode is disabled, the TLS/SSL decryption or encryption is on. Use this mode during the deployment stage.
■   Inline—Both monitor mode and TLS/SSL decryption or encryption is on. Use this mode to debug issues.

Refer to Inline TLS/SSL Monitor Mode for details.

HSM Group

Select a HSM Group alias that you have configured from the drop-down list. Select Disable from the drop-down list to disable the HSM Group.

Refer to Configure Hardware Security Model (HSM) for details.

 Notes:
Thales-Luna Network HSM configuration is supported in Inbound, Outbound, and Hybrid deployment types.
Entrust nShield HSM configuration is supported in Inbound, Outbound, and Hybrid deployment types.

Advanced Session Statistics

Enable this option to visualize advanced Inline SSL Session dashboards, such as Session Insights and Session Table, in the Fabric Health Analytics dashboard. The basic dashboards are available by default as you configure an Inline SSL session.

Refer Default Dashboards and GigaSMART Inline TLS/SSL Dashboards to know more.

Keychain Password

The keychain password must be configured before installing certificates and keys.

Refer to Configure Keychain Password for details.

To add or reset the Keychain Password:

a. Click Keychain Password, and then choose either Add or Reset.
b. If you choose to reset the Keychain Password, enter a password that is 8 to 30 characters long and contains at least one numerical character, one uppercase character, one lowercase character, and one special character.
c. Select the Auto Login check box to enable GigaVUE‑FM to unlock the keystore when the device reboots. Refer to Support for unattended restart of TLS/SSL decryption in managed nodes for details.
d. Click OK to save the Keychain Password.

Add new keys

To configure a certificate-key pair:

a. Click Add new keys to open the Key page.
b. Enter a name and description for the key.
c. Select the required Key Type and File Type.
d. You can choose to include a Passphrase for the key when you select PEM or PKCS12 as File type if required.
e. When you choose Luna-HSM, enter the Key label for the key.
f. Add the required Private Key and Certificate.
g. Click OK to save the configuration.

Deployment Type

Select one of the following deployment types:

■   Inbound—For inbound deployments, add a new Server Key Mapping. Enter the domain name or IP address of the server, and then select the required Key Pair Alias. Refer to TLS/SSL Session, Inbound Deployment for details.
■   Outbound—For outbound deployments, add a primary and a secondary signing Certificate Authorities (CA). Refer to TLS/SSL Session, Outbound Deployment for details.
■   Hybrid—For hybrid deployments, add a new Server Key Mapping, and a primary and a secondary signing CA.

Refer to TLS/SSL Keys and Certificates and Generate and Add a Certificate to Key Store for details.

Configurations

Default Action

Select one of the following options :

■   Decrypt—Decrypt all the traffic that is guided into the Inline SSL APP.
■   No Decrypt—Do not decrypt the traffic that is guided into the Inline SSL APP.

URL Cache Miss Action

Select one of the following options:

■   Decrypt—Decrypt all the traffic that is guided into the Inline SSL APP.
■   No Decrypt—Do not decrypt the traffic that is guided into the Inline SSL APP.
■   Defer—Delay the decryption until the Defer Timeout seconds provided.

Tool Fail Action

The failover action taken in response to a failure of an inline tool. Select one of the following options:

■   Bypass Tool—The traffic bypasses the failed inline tool.
■   Drop Connection—The traffic is dropped.

Tool Bypass

Select the required options:

■   Decrypted TLS/SSL Traffic—Bypasses the decrypted SSL traffic.
■   No Decrypted TLS/SSL Traffic—Bypasses the non-decrypted SSL traffic.
■   Non-TLS/SSL TCP Traffic—Bypasses the non-TLS/SSL, that is the TCP intercepted traffic.

High Availability

Select the check box to detect the link switchover by upstream device that is in active or standby mode.

Note:  Do not select this check box if the inline network links are in active state.

Refer to High Availability Active Standby for details.

Network Group Multiple Entry

Select this check box to allow the traffic from different inline network to reenter GigaSMART.

Refer to Inline Network Group Multiple Entry for details.

Tool Early Engage

Select this check box to allow the inline tools to change the MAC address or VLAN IDs. When a connection request is received from the client, GigaSMART establishes the connection with the inline tool first, before connecting with the server. This helps the inline tools to modify the MAC address or VLAN IDs when sending the traffic back to the server.

Refer to Tool Early Engage and One-Arm Mode for additional information and limitations.

Tool Early Inspect

Select this check box to allow the inline tool to inspect the decrypted data first before connecting to the server. This will allow the inline tool to validate the data and ensure that only valid connections are sent to the server.

 Notes:
You can access Tool Early Inspect feature from the flex Inline SSL APP only. Tool Early Inspect cannot co-exist with features such as RIA, NAT/PAT mode, Tool Early Engage, One-Arm, and Decryption Port Mapping.
If Tool Early Inspect is enabled, you can configure the connections timeout value. Connection timeout represents the time by which the tool should respond after receiving the first decrypted data. If no response is received within the configured time interval, the connections will be reset.

Refer to Tool Early Inspect for details.

StartTLS Port

Enter the required SSL/TLS ports.

Refer to StartTLS and HTTP CONNECT for details.

Session Logging

Session Logging

Select the Enable checkbox to log the Inline-TLS/SSL session related information to a remote server.

IP Version

Select IPV4 or IPV6 as the IP Version for the Session Logging server. You can select one session logging configuration per GigaSMART group.

Remote Syslog Server IP

Enter the IP address of the remote syslog server.

Associated IP Interface

In the Associated IP interface drop-down list, select the IP interface that you assigned to the GigaSMART group. You can create the IP interface by clicking the Create IP Interface button and the IP Interface window will open.

Complete the fields to create the IP Interface:

  • In the Alias and Description fields, enter the name and description for the IP interface.

  • Select the Port.

  • Select IPV4 or IPV6 as the IP Version.

  • Enter an IP Address. For example, 192.168.1.20.

  • Enter an IP Mask. For example, 255.255.255.0.

  • Enter a Gateway. For example, 192.168.1.20.

  • Enter the Maximum Transmission Unit (MTU) for this port in the MTU field. For example, 1500.

  • Select the GigaSMART Group you created from the GS Groups field.

Remote Syslog Port Number

Enter the port number of the remote syslog server.

Log Level

In the Log Level drop-down list, select the severity log level of the events that you want to send to the inline TLS/SSL session logging server.

Traffic Path

Single VLAN Tag

Enable the check box to deploy flexible inline TLS/SSL solution with a single VLAN tag. If an inline tool is involved in an inline TLS/SSL map, the inline tool can be supported across multiple maps with different single VLAN tags.

Note:  Deploying a flexible iSSL solution with SVT is optional, and you can choose to enable or disable the Single VLAN Tag option. If you choose to enable the Single VLAN Tag option in the iSSL solution, you should also enable the Single VLAN Tag configuration in the flex map deployed in that solution.

Note:  If you enable the Single VLAN tag option in the Flexible iSSL solution, you should also enable the Single VLAN Tag configuration in the inline-ssl app profile deployed in the solution

Refer to Single VLAN Tagging (SVT) in iSSL for more details.

Tool Side VLAN Tag

Enter the required tool side VLAN tag for the inline network.

TPID

Select the TPID for the Tool Side VLAN Tag. The default value of TPID is 0x8100. You can select the other supported values 0x9100 and 0x88a8 from the drop-down list.

Traffic Path

Select one of the following options:

■   Drop—Traffic is dropped at the virtual port.
■   Bypass—Traffic bypasses the virtual port.
■   Monitoring—Traffic is fed to the virtual port and absorbed, while a copy of the traffic is sent to the next inline tool in the sequence. Traffic returned from side B of the network is also absorbed at the virtual port in the monitoring mode.

Note:  You can select the Monitoring option only if you have set the SSL Monitor Mode to either Enable or Inline.

■   To Inline Tool—Traffic is forwarded to the inline tool. This is the default value.

Inline Failover Action

Select one of the following options:

■   Virtual port bypass—All virtual ports configured as the source of any map that triggered this failover action, will be put in the bypass mode, that is all traffic will bypass the virtual port and will be guided to the inline tool or inline tool group.
■   Virtual port drop—All virtual ports configured as the source of any map that triggered this failover action, will be put in the drop mode, that is all traffic will be dropped at the virtual port.
■   Network bypass—All inline networks configured as the source of any map involving the inline tool or inline tool group that triggered this failover action, will be put in the bypass mode, that is, all traffic coming to side A will be directed to side B and vice versa.
■   Network drop—All inline networks configured as the source of any map involving the inline tool or inline tool group that triggered this failover action, will be put in the drop mode, that is, all traffic coming to side A or side B will be dropped.
■   Network port forced down—For all inline networks configured as the source of any map involving the inline tool or inline tool group that triggered this failover action, the inline network ports will be brought down.

Security Exceptions

You can choose to either decrypt or drop the traffic for the following certificates:

■   Self-signed certificate
■   Unknown CA certificate
■   Invalid certificate
■   Expired certificate

You can also choose to configure the security exceptions for certificate revocation validation based on OCSP or CRL on inline decryption profile. Select one of the following options:

■   Soft Fail—If you select this option, the client browser displays the secondary MitM certificate and the inline decryption session stats in GigaVUE‑FM displays as Decrypt.
■   Hard Fail—If you select this option, the client browser displays the certificate from DigiCert and the inline decryption session stats in GigaVUE‑FM displays as Bypass: Unknown Revocation.

Refer to Certificate Revocation List (CRL), Online Certificate Status Protocol (OCSP), CRL and OCSP, and Checking Certificate Revocation Status for details.

No-decrypt list/Decrypt list

Select the following check boxes:

No-decrypt list—Allows traffic from certain classes such as sites, domains, host-based IP address and IP subnets (decision based on LPM) to bypass decryption.
Decrypt list—Allows traffic from certain sites, domains, host-based IP address and IP subnets (decision based on LPM) to always be decrypted.

Select from the below operations that can be performed on an uploaded list:

Append _ This would add to the uploaded list.
Replace- This would remove the previously added list and add a new list. This option is supported only on Generation 3 cards.
Clear- This would completely clear the list.
Download - This would download the list that has been uploaded.

If you select Append/Replace, you can enter the list using any of the following options:

• Copy and Paste

• Install from URL

• Install from Local Directory

Refer to No-decrypt Listing Policy and Decrypt Listing Policy for details.

Policy Rules

Add the required policy rules for the inline decryption profile.

Click Add a Rule. In the Condition field, Select one of the following options from the drop-down list:

■   Category
■   Domain
■   IPv4 Destination
■   IPv4 Source
■   IPv6 Destination
■   IPv6 Source
■   L4 Port Destination
■   L4 Port Source
■   VLAN
■   X509 Certificate Issuer Name

Select one of the following options:

■   Decrypt—Decrypt all the traffic that is guided into the Inline SSL APP.
■   Decrypt—Do not decrypt the traffic that is guided into the Inline SSL APP.

Network Access

Network access configuration is used to get URL categorization updates. Refer to URL Categorization for details.

To configure the network access for the GigaSMART engine ports:

  1. Select either DHCP or IP Address as the network access configuration mode.
  2. If you select IP Address as the mode, enter the IP Address, Netmask, Gateway, DNS, MTU, and VLAN.
  3. Select either Eth2 or Eth3 as the Interface.
  4. If you want to attach a Proxy profileto your Inlie SSL deployment select a Proxy Server Profile from the drop-down. To configure a new Proxy Server Profile, click on Create new Proxy. Refer Proxy Server Configuration to know more.
 Notes:
The Eth3 option is available only for GigaVUE‑HC3 devices.
IP Address configuration mode details should be entered when you select Luna HSM configuration from the HSM Group drop down.
If your Proxy Server profile is associated with an Inline SSL application, choose 'None' in the Proxy Server profile field on the Inline SSL configuration page to disconnect the proxy server profile prior to deleting the profile.

Decryption Port Mapping

The TCP destination port for decrypted traffic sent to inline tools can be configured as part of the inline decryption profile. Configure the required Priority 1 map, which is user configurable and Priority 2 map, which is the default out port.

Refer to Inline TLS/SSL Decryption Port Map for details.

Trust Store

The trust store contains a trusted certificate authority (CA) for server validation. You can choose to either append or replace the trust store.

Refer to Trust Store for details.

TCP Settings

Configure the required TCP settings as follows:

TCP Inactive Timeout— TCP Inactive session timeout in minutes.
TCP Delayed ACKGigaSMART Inline TLS/SSL decryption ACKs every TCP packet by default. If TCP Delayed ACK is enabled, then GigaSMART decryption will wait for 100ms or ACK every third packet – whichever comes first.
TCP SYN Retries—number of retries made by the MitM to initiate a session with the destination server. If a SYN/ACK response isn't received from the destination server on initial TCP SYN, GigaSMART attempts for additional number of TCP SYN Retries as defined by the user.
TCP TIMEWAIT Timeout— Configure the 'TCP TIMEWAIT' timeout value from 0-300 seconds. The default value is 30 seconds. The TCP connection in the TIME_WAIT state gets deleted after the timeout period.

Split-Proxy Settings

Split-Proxy

Select the check box to enable the split proxy settings for the inline decryption solution. The TLS connection between the server and client is divided into two independent connections, and the security parameters are kept separate.

Non-PFS Ciphers (Server)

Select the check box to enable the non-PFS ciphers settings for the inline decryption solution that has the split proxy settings enabled. This setting is to indirectly force the server to use protocols that are lower than TLS1.3 with non-PFS ciphers. This means that the ciphers with DHE/ECDHE key-exchange will not be used on the server side.

Miscellaneous (Global Settings)

SSL/TLS Version

Select the minimum and maximum SSL/TLS version.

Connection Reset Action

Select one of the following options for the minimum SSL/TLS version:

■   Drop—Closes all sessions that are below the minimum SSL/TLS version specified. This ensures that the network is safe from the weak TLS/SSL connections. This is the default option.
■   No Decrypt—Bypasses all sessions that are below the minimum SSL/TLS version specified.

Select one of the following options for the maximum SSL/TLS version:

■   No Decrypt—Bypasses all sessions that are above the maximum SSL/TLS version specified. This is the default option.
■   Drop—Closes all sessions that are above the maximum SSL/TLS version specified.

Caching persistence

Select this check box to allow the information to be saved on the GigaVUE node in the control card’s persistent storage so that it can be retrieved in case of reboots. Refer to Cache Persistence for details.

Support for unattended restart of TLS/SSL decryption in managed nodes

The keychain is an encrypted database of certificates and private keys. On individual nodes, the keychain is stored in flash memory until reboot. The user needs to enter a keychain password to access the keychain. The keychain password is cached in the RAM of the control plane processor to allow decryption of the keychain file, but the keychain password is not cached across reboots. The SSL processing is not possible without the keychain password.

The keychain password is stored in GigaVUE‑FM to automatically unlock the keychain during reboots and processing the TLS/SSL decryption without any intervention. The keychain password is stored in an encrypted database for key protection and risk management. Enable the Auto Login option when you set up or reset the keychain password to automatically unlock the keychain during reboots.