Creating SSL Forward Proxy Profiles
Use this page to configure SSL forward proxy profiles. SSL proxy is enabled as an application service within a security policy. You specify the traffic that you want the SSL proxy enabled on as match criteria and then specify the SSL proxy profile to be applied to the traffic.
To create an SSL forward proxy profile:
Ensure that you have a root certificate imported for the tenant before you create an SSL forward proxy profile. You can import SSL certificates (root and trusted) from the Certificates page (Administration > Certificates) and associate the certificates with SSL forward proxy profiles.
- Select Configuration > SSL Proxy > Profiles in Customer Portal.
The SSL Proxy Profiles page appears.
- Click the add icon (+) to create an SSL forward
The Create SSL Proxy Profiles page appears.
- Complete the configuration according to the guidelines
provided in Table 1.
Fields marked with an asterisk (*) are mandatory.
- Click OK.
An SSL forward proxy profile is created. You are returned to the SSL Proxy Profiles page where a confirmation message is displayed.
The SSL forward proxy profile can be used in an SSL proxy policy intent (Configuration > SSL Proxy > Policy).
Table 1: Creating SSL Forward Proxy Profile Settings
Enter a unique name for the profile, which is string of alphanumeric characters and some special characters (- _). No spaces are allowed and the maximum length is 63 characters.
Enter a description for the profile. The maximum length is 255 characters.
Select a preferred cipher. Preferred ciphers enable you to define an SSL cipher that can be used with acceptable key strength. You can select from the following categories:
If you specified Custom as the preferred cipher, you can define a custom cipher list by selecting ciphers.
Select the set of ciphers that the SSH server can use to perform encryption and decryption functions.
The available custom ciphers are:
Select this option to enable flow tracing to enable the troubleshooting of policy-related issues.
Select or add a root certificate. In a public key infrastructure (PKI) hierarchy, the root certificate authority (CA) is at the top of the trust path.
Trusted Certificate Authorities
Choose whether you want to add all trusted certificates present on the device (All) or select specific trusted certificates. Before establishing a secure connection, the SSL proxy checks CA certificates to verify signatures on server certificates.
Exempted addresses include addresses that you want to exempt from undergoing SSL proxy processing.
To specify exempted addressees, select one or more addresses in the Available column and click the forward arrow to confirm your selection. The selected addresses are then displayed in the Selected column. These addresses are used to create allowlists that bypass SSL forward proxy processing.
Because SSL encryption and decryption are complicated and expensive procedures, network administrators can selectively bypass SSL proxy processing for some sessions.
Such sessions typically include connections and transactions with trusted servers or domains with which network administrators are very familiar. There are also legal requirements to exempt financial and banking sites. Such exemptions are achieved by configuring the IP addresses or domain names of the servers under allowlists.
Note: You can also add addresses by clicking Add New Address. The Create Addresses page appears. See Creating Addresses or Address Groups.
Exempted URL Categories
Select the previously defined URL categories to create allowlists that bypass SSL forward proxy processing. The selected URL categories are exempted during SSL inspection.
Server Auth Failure
Select this check box to ignore errors encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry). This check box is cleared by default.
We do not recommend this option for authentication, because configuring it results in websites not being authenticated at all. However, you can use this option to effectively identify the root cause for dropped SSL sessions.
Select this check box to disable session resumption. This check box is cleared by default.
To improve throughput and still maintain an appropriate level of security, SSL session resumption provides a session-caching mechanism so that session information, such as the pre-master secret key and agreed-upon ciphers, can be cached for both the client and server.
Select one or more events to be logged. You can choose to log all events, warnings, general information, errors, or different sessions (added to the allowlist, allowed, dropped, or ignored). Logging is disabled by default.
Select one of the following options if a change in SSL parameters requires renegotiation:
After a session is created and SSL tunnel transport has been established, a change in SSL parameters requires renegotiation. SSL forward proxy supports both secure (RFC 5746) and nonsecure (TLS v1.0 and SSL v3) renegotiation.
When session resumption is enabled, session renegotiation is useful in the following situations: