SSL Decryption Mirroring
SSL decryption mirroring feature enables you to monitor SSL decrypted application traffic entering and exiting the SRX Series device. For more information on SSL decryption mirroring, read this topic.
Understanding SSL Decryption Mirroring Functionality
Starting in Junos OS Release 18.4R1, SSL decryption mirroring functionality for SSL forward proxy and for SSL reverse proxy is introduced.
SSL decryption mirroring feature enables you to monitor SSL decrypted application traffic entering and exiting the SRX Series device. When you enable this feature, the SRX Series device uses an Ethernet interface—the configured SSL decryption mirroring interface—to forward a copy of the decrypted SSL traffic to a trusted traffic collection tool or a network analyzer for inspection and analysis. Typically, you connect this external monitoring device to the SSL decryption mirroring interface through a switching device. The external mirror traffic collector port is the port (or interface) that receives the copy of the decrypted traffic from the SSL decryption mirroring interface on the SRX Series device.
To use the SSL decryption mirroring feature, you define an SSL proxy profile, and apply it to the security policy. The security policy rule allows you to define traffic that you want the device to decrypt. When you attach the SSL proxy profile to the security policy rule, the traffic matching the security policy rule is decrypted. The SSL decryption mirroring interface delivers a copy of decrypted HTTPS and STARTTLS (POP3S/SMTPS/IMAPS) traffic to a trusted external device or traffic collection tool for inspection and analysis.
The embedded 5-tuple data of the decrypted IP packet includes the same following values as the encrypted IP packets:
Source IP address
Destination IP address
Source port number
Destination port number
Retaining the same 5-tuple data without reconfiguration ensures that the decrypted traffic is saved in packet-capturing format (Wireshark) and you can replay the data later.
Only TCP sequence numbers and ACK numbers are constructed based on the actual decrypted payload forwarded on the SSL decryption mirroring port. If the decrypted packet size exceeds the maximum transmission unit (MTU) size of the SSL decryption mirroring port, then the decrypted payload is divided into multiple TCP segments based on the MTU size requirements.
SSL Decryption Mirroring Before or After Policy Enforcement
By default, the SRX Series device forwards the SSL decrypted payload to the mirror port before Junos OS enforces Layer 7 security services, including IDP, Juniper SKY ATP, and UTM. This option allows you to replay events and analyze traffic that generates a threat or triggers a drop action.
You can also configure mirroring of the decrypted traffic after enforcing the security policy. With this option, only traffic that is forwarded through the security policy is mirrored. However, if the decrypted payload is modified while enforcing the security policy, the modified decrypted payload is forwarded on the mirror port. Similarly, if the decrypted traffic is dropped because of policy enforcement (for example, when a threat is detected in the decrypted traffic), that particular decrypted traffic is not forwarded on the mirror port.
SSL Decryption Mirroring Support
Supported for SSL forward proxy and SSL reverse proxy.
Supported for both IPv4 and IPv6 traffic.
The SSL decrypted traffic available on the mirror port is in cleartext format. All the cipher suites that are supported by SSL proxy support SSL decryption mirroring functionality. For the list of supported cipher suites, see SSL Proxy Overview.
Benefits of SSL Decryption Mirroring
Enables comprehensive data capture for auditing, forensic investigations, and historical purposes.
Provides data leak prevention.
Enables additional security processing done by third-party appliances for IDP, UTM, and so on.
Provides insight about the threats involved.
SSL decryption mirroring cannot be configured on the st0 tunnel interface.
SSL Decryption Mirroring Support in Chassis Cluster
Starting in Junos OS Release 18.4R1-S2 and Junos OS Release 19.2R1, the SSL decryption mirroring feature is supported on redundant Ethernet (reth) interface on SRX Series devices operating in a chassis cluster.
Configuring SSL Decryption Mirroring
This example shows how to enable mirroring of SSL decrypted traffic on an SRX Series device.
This example uses the following hardware and software components:
Any SRX Series device with Junos OS Release 18.4R1 or later. This configuration example is tested for Junos OS Release 18.4R1.
No special configuration beyond device initialization is required before configuring this feature.
Before you begin:
Configure SSL proxy. See SSL Proxy Overview.
The SSL decryption mirroring interface that you configure doesn’t need to be part of any security zones.
Ensure that SSL decryption mirroring interface and the actual client-server SSL traffic processing interfaces are part of the same routing instance.
Ensure that the SSL decryption mirroring interface on the SRX Series device and the external mirror traffic collector port must be part of the same broadcast domain.
You don’t need to configure a separate security policy to allow traffic from SRX Series device to the SSL decryption mirroring interface..
In this example, configure an SSL forward proxy profile by specifying the name of the SSL decryption mirroring interface and the MAC address of the external mirror traffic collector port. Next, create a security policy and invoke the SSL proxy as application service on the permitted traffic. The traffic matching the security policy rule is decrypted. A copy of the decrypted SSL payload is then encapsulated into an IP packet and forwarded to the on the external mirror traffic collector port through SSL decryption mirroring interface.
Figure 1 illustrates the topology used in this example.
Table 1 provides the details of the parameters used in this example.
Table 1: Parameters Used in SSL Decryption Mirroring Example
SSL decryption mirroring interface on SRX Series device
MAC address of the external mirror traffic collector port
SSL proxy profile
Use the following steps to configure the SSL decryption mirroring.
- Define the SSL decryption mirroring interface with logical
unit number 0.user@host# set interfaces ge-0/0/2 unit 0
- Specify the SSL decryption mirroring interface in the
SSL proxy profile.user@host# set services ssl proxy profile profile-1 mirror-decrypt-traffic interface ge-0/0/2.0
Ge-0/0/2.0 is configured as designated SSL decryption mirroring interface.
- Specify the MAC address of the of the external mirror
traffic collector port.user@host# set services ssl proxy profile profile-1 mirror-decrypt-traffic destination-mac-address 00:50:56:a6:5f:1f
- Create a security policy by specifying the match criteria
for the traffic.user@host# set security policies from-zone trust to-zone untrust policy policy-1 match source-address anyuser@host# set security policies from-zone trust to-zone untrust policy policy-1 match destination-address anyuser@host# set security policies from-zone trust to-zone untrust policy policy-1 match application any
- Attach the SSL proxy profile to the security policy rule. user@host# set security policies from-zone trust to-zone untrust policy policy-1 then permit application-services ssl-proxy profile-name profile-1
This configuration enables the external mirror traffic collector port (or interface) to receive the copy of the decrypted traffic from the SSL decryption mirroring interface on the SRX Series device.
From configuration mode, confirm your configuration by entering the show services ssl proxy profile and show security policies from-zone trust to-zone untrust policy commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verify SSL Proxy Configuration
Confirm that the configuration is working properly by displaying the SSL proxy statistics.
From operational mode, enter the show services ssl proxy statistics command.
user@host> show services ssl proxy statistics
PIC:fwdd0 fpc pic sessions matched 30647 sessions bypassed:non-ssl 0 sessions bypassed:mem overflow 0 sessions bypassed:low memory 0 sessions created 25665 sessions ignored 0 sessions active 0 sessions dropped 0 sessions whitelisted 0 whitelisted url category match 0 default profile hit 0 session dropped no default profile 0 policy hit no profile configured 0