Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Unified Policies for SSL Proxy

 

Application Security Services with SSL Proxy

With the implementation of SSL proxy, AppID can identify applications encrypted in SSL. SSL proxy can be enabled as an application service in a regular firewall policy rule. Intrusion Detection and Prevention (IDP), application firewall (AppFW), application tracking (AppTrack), advanced policy-based routing (APBR) services, UTM, SKY ATP, and Security Intelligence (SecIntel) can use the decrypted content from SSL proxy.

To determine if a feature is supported by a specific platform or Junos OS release, refer Feature Explorer

On the SSL payload, IDP can inspect attacks and anomalies; for example, HTTP chunk length overflow on HTTPS. On encrypted applications, such as Facebook, AppFW can enforce policies and AppTrack (when configured in the from and to zones) can report logging issues based on dynamic applications.

Note

If none of the services (AppFW, IDP, or AppTrack) are configured, then SSL proxy services are bypassed even if an SSL proxy is attached to a firewall policy.

Note

The IDP module will not perform an SSL inspection on a session if an SSL proxy is enabled for that session. That is, if both SSL inspection and SSL proxy are enabled on a session, SSL proxy will always take precedence.

Leveraging Dynamic Application Identification

SSL proxy uses application identification services to dynamically detect if a particular session is SSL encrypted. SSL proxies are allowed only if a session is SSL encrypted. The following rules apply for a session:

  • Session is marked Encrypted=Yes in the application system cache. If the session is marked Encrypted=Yes, it indicates that the final match from application identification for that session is SSL encrypted, and SSL proxy transitions to a state where proxy functionality can be initiated.

  • Session is marked Encrypted=No in the application system cache. If a non-SSL entry is found in the application system cache, it indicates that the final match from application identification for that session is non-SSL and SSL proxy ignores the session.

  • An entry is not found in the application system cache. This can happen on the first session, or when the application system cache has been cleaned or has expired. In such a scenario, SSL proxy cannot wait for the final match (requires traffic in both directions). In SSL proxy, traffic in reverse direction happens only if SSL proxy has initiated an SSL handshake. Initially, for such a scenario SSL proxy tries to leverage prematch or aggressive match results from application identification , and if the results indicate SSL, SSL proxy will go ahead with the handshake.

  • Application identification fails due to resource constraints and other errors. Whenever the result from application identification is not available, SSL proxy will assume static port binding and will try to initiate SSL handshake on the session. This will succeed for actual SSL sessions, but it will result in dropped sessions for non SSL sessions.

SSL Proxy Support for Unified Policies

Starting from Junos OS Release 18.2R1, unified policies are supported on SRX Series devices, allowing granular control and enforcement of dynamic Layer 7 applications, within the traditional security policy.

Unified policies are the security policies that enable you to use dynamic applications as match conditions as part of the existing 5-tuple or 6-tuple (5-tuple with user firewall) match conditions to detect application changes over time.

SSL proxy functionality is supported when the device is configured with unified policies. As a part of this enhancement, you can configure a default SSL proxy profile.

During the initial policy lookup phase, which occurs prior to a dynamic application being identified, if there are multiple policies present in the potential policy list which contains different SSL proxy profiles, the SRX Series device applies the default SSL proxy profile until a more explicit match has occurred.

We recommend that you create a default SSL proxy profile. The sessions are dropped in case of policy conflicts, if there is no default SSL proxy profile available.

You can configure an SSL proxy profile under the [edit services ssl proxy] hierarchy level, and then apply it as a default SSL proxy profile under the [edit security ngfw] hierarchy level. This configuration does not impact the existing SSL service configuration.

Configuring a default SSL proxy profile is supported for both SSL forward and reverse proxy.

Understanding How SSL Proxy Default Profile Works

Table 1 summarizes the default SSL proxy profile behavior in unified policies.

Table 1: SSL Proxy Profile Usage in Unified Policies

Application Identification Status

SSL Proxy Profile Usage

Action

No security policy conflict

SSL proxy profile is applied when traffic matches the security policy.

SSL proxy profile is applied.

Security policy conflict (conflicting polices have distinct SSL proxy profiles)

Default SSL proxy profile is not configured or not found.

Session is terminated, because the default SSL proxy profile is not configured.

Default SSL proxy profile is configured.

Default SSL proxy profile is applied.

Final application is identified

Matching security policy has a SSL proxy profile that is same as default SSL proxy profile.

Default SSL proxy profile is applied.

Matching security policy does not have a SSL proxy profile.

Default SSL proxy profile is applied.

Matching security policy has a SSL proxy profile that is different from the default SSL proxy profile that is already applied.

Default SSL proxy profile that is already applied, continues remain as applied.

Note

A security policy can have either an SSL reverse proxy profile or an SSL forward proxy profile configured at a time.

If a security policy has an SSL forward proxy profile and another security policy has an SSL reverse proxy profile, in such case, a default profile—either from SSL reverse proxy profile or from SSL forward proxy profile is considered.

Caution

We recommend creating default SSL proxy profile because sessions are dropped in case of policy conflicts, when there is no default SSL proxy profile available. A system log message is generated to log the event.

Tip

Example of the system log message:

Default SSL Proxy Profiles in Different Scenarios

Following examples discuss in detail about the default SSL proxy profile in different scenarios:

No Policy Conflict—All Policies Have Same SSL Proxy Profile

All matching policies have same SSL proxy profile as shown in Table 2.

Table 2: No Policy Conflict—All Policies Have Same SSL Proxy Profile

Security Policy

Source Zone

Source IP Address

Destination Zone

Destination IP Address

Port Number

Protocol

Dynamic Application

Service

Default SSL Proxy Profile

Policy-P1

S1

Any

D1

Any

Any

Any

Facebook

SSL Proxy

SSL-1

Policy-P2

S1

Any

D1

Any

Any

Any

Google

SSL Proxy

SSL-1

In this case, both Policy-P1 and Policy-P2 have the same SSL proxy profile (SSL-1). Because there is no conflict, the profile SSL-1 is applied.

If you have configured a default SSL proxy profile (SSL-2), it is not applied. Because there is no conflict in the policies (Policy-P1 and Policy-P2).

No Policy Conflict—All Policies Have Same SSL Proxy Profile and Final Policy Has No SSL Profile

Policy-P1 and Policy-P2 have same SSL proxy profile and the Policy-3 has no SSL profile as shown in Table 3.

Table 3: No Policy Conflict—All Policies Have Same SSL Proxy Profile and Final Policy Has No SSL Profile Configured

Security Policy

Source Zone

Source IP Address

Destination Zone

Destination IP Address

Port Number

Protocol

Dynamic Application

Service

Default SSL Proxy Profile

Policy-P1

S1

Any

D1

Any

Any

Any

Facebook

SSL Proxy

SSL-1

Policy-P3

S1

50.1.1.1

D1

Any

Any

Any

YouTube

SSL Proxy

SSL-1

Policy-P2

S1

Any

D1

Any

Any

Any

Google

Other

None

In this scenario, both Policy-P1 and Policy-P2 have the same SSL proxy profile (SSL-1). Because there is no conflict, the profile SSL-1 is applied before the final policy match.

When the final application is identified, the security policy matching with the final application, that is, Policy-P3 is applied. Because the Policy-P3 has no SSL proxy profile, the already applied profile SSL-1 remains applied. This is because, the SSL proxy profile is already applied on the traffic.

Policy Conflict—No SSL Profile Configured for Final Policy

The default SSL proxy profile is applied during potential match as shown in Table 4. The final policy, Policy-P3 does not have any SSL proxy profile.

Table 4: Policy Conflict—No SSL Profile Configured for Final Policy

Security Policy

Source Zone

Source IP Address

Destination Zone

Destination IP Address

Port Number

Protocol

Dynamic Application

Service

Default SSL Proxy Profile

Policy-P1

S1

50.1.1.1

D1

Any

Any

Any

Facebook

SSL Proxy

SSL-1

Policy-P2

S1

50.1.1.1

D1

Any

Any

Any

Google

SSL Proxy

SSL-2

Policy-P3

S1

50.1.1.1

D1

Any

Any

Any

YouTube

Other

NA

In this example, SSL proxy profile SSL-1 is configured as default SSL proxy profile. During the policy conflict for Policy-P1 and Policy-P2, the default profile SSL-1 is applied.

When the final application is identified, the security policy matching with the final application, that is, Policy-P3 is applied. Because the Policy-P3 has no SSL proxy profile, the already applied profile SSL-1 continues to remain as applied. This is because, the SSL proxy profile is applied on the traffic.

Policy Conflict–Default SSL Proxy Profile and Different SSL Proxy Profile for Final Policy

The SSL proxy profile SSL-1 is configured as a default SSL proxy profile and is already applied before the final policy is matched. Refer Table 5.

Table 5: Policy Conflict—Default SSL Proxy Profile and Different SSL Proxy Profile for Final Policy

Security Policy

Source Zone

Source IP Address

Destination Zone

Destination IP Address

Port Number

Protocol

Dynamic Application

Service

Default SSL Proxy Profile

Policy-P1

S1

50.1.1.1

D1

Any

Any

Any

Facebook

SSL Proxy

SSL-1

Policy-P2

S1

50.1.1.1

D1

Any

Any

Any

Google

SSL Proxy

SSL-2

Policy-P3

S1

50.1.1.1

D1

Any

Any

Any

YouTube

SSL Proxy

SSL-3

When the final application is identified, the security policy matching with the final application, that is, Policy-P3 is applied. The SSL profile for the Policy-P3, that is, SSL-3 is not applied. Instead, the SSL proxy profile SSL-2 configured and applied as default profile, continues to remain as applied.

Switching from the default SSL proxy profile that is already applied to the traffic, to another SSL proxy profile is not supported.

Limitations of SSL Proxy with Unified Policies

  • When a default SSL proxy profile is enabled, it cannot be disabled even if the final security policy does not have SSL proxy configured.

  • When a default SSL proxy profile is enabled and applied on the traffic and the final security policy has a different SSL proxy profile configured other than default profile, switching from the default SSL proxy profile to the SSL proxy profile in the security policy is not supported.

Configuring Default SSL Proxy Profiles

SSL proxy is enabled as an application service within a security policy. In a security policy, specify the match criteria for the traffic that must be SSL proxy enabled. Next, specify the SSL proxy profile to be applied to the traffic. When configuring unified policies, the steps include defining the SSL profile, then adding the SSL profile as default profile under the [edit security ngfw] hierarchy level, and then including to it in the desired security policy.

Configuring Default Profile for SSL Forward Proxy

In this procedure, you configure an SSL forward proxy profile, and specify the profile as the default profile.

  1. Create an SSL profile and attach the CA profile group to the SSL proxy profile.
  2. Apply the signing certificate as root-ca in the SSL proxy profile.
  3. Define the SSL proxy profile as the default profile.

Configuring Default Profile for SSL Reverse Proxy

In this procedure, you configure an SSL reverse proxy profile and specify the profile as the default profile.

  1. Create an SSL profile and attach the CA profile group to the SSL proxy profile.
  2. Define the SSL reverse proxy profile as the default profile.

Configuring Default SSL Profiles for Logical System

In this procedure, you assign the SSL forward proxy profile or the SSL reverse proxy profile as the default profile in logical system configurations. In this case, one profile can be a default profile either from the SSL forward proxy or from the SSL reverse proxy.

  • Define the SSL forward proxy profile as the default profile.
  • Define the SSL reverse proxy profile as the default profile.

Example: Configuring Default SSL Proxy Profile for Unified Policy

This example shows how to configure a default SSL proxy profile and apply it in a unified policy.

Requirements

This example uses the following hardware and software components:

  • SRX Series device with Junos OS Release 18.2R1 or later. This configuration example is tested for Junos OS Release 18.2R1.

No special configuration beyond device initialization is required before configuring this feature.

Overview

In this example, you configure an SSL forward proxy profile by specifying the root CA certificate. Next, configure the profile as default SSL proxy profile. Now, you create a unified policy and invoke the SSL proxy as application services on the permitted traffic.

Configuration

To configure a default SSL proxy profile and apply it in a unified policy:

  1. Create an SSL profile and attach the CA profile group to the SSL proxy profile.
  2. Apply the signing certificate as root-ca in the SSL proxy profile.
  3. Define the SSL proxy profile as the default profile.
  4. Create a unified policy and specify the dynamic application as the match criteria.
  5. Apply the SSL proxy profile to the permitted traffic in the security policy.

Verification

Verify SSL Proxy Configuration

Purpose

Confirm that the configuration is working properly by displaying the SSL proxy statistics.

Action

From operational mode, enter the show services ssl proxy statistics command.

user@host> show services ssl proxy statistics

Meaning

The command output displays the following information:

  • Details about the sessions matched for the SSL proxy.

  • Details about the default SSL proxy profile such as the sessions where the default profile is applied and the sessions that are dropped due to the absence of the default profile.

See also