Add an SSL Proxy Profile
You are here: Security Services > SSL Profiles > SSL Proxy.
To add an SSL proxy profile:
- Click the add icon (+) on the upper right side
of the SSL Proxy Profile page.
The Create SSL Proxy Profile page appears.
- Complete the configuration according to the guidelines provided in Table 1.
- Click OK to save the changes. If you want to discard your changes, click Cancel.
Table 1: Fields on the Create SSL Proxy Profile Page
Enter a name of the SSL proxy profile.
The string must contain alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.
Specifies the cipher depending on their key strength. Select a preferred cipher from the list:
Specifies the set of ciphers the SSH server can use to perform encryption and decryption functions. If this option is not configured, the server accepts any supported suite that is available.
Select the set of ciphers from the list:
Select the check box to enable flow trace for troubleshooting policy-related issues. Else leave it blank.
Specifies whether the certificate that you want to associate with this profile is a root CA or server certificate. Server certificate is used for SSL reverse proxy. If you choose server certificate, the trusted CA, CRL, and server auth failure options will not be available. For forward proxy profile, choose the root CA
In a public key infrastructure (PKI) hierarchy, the root CA is at the top of the trust path. The root CA identifies the server certificate as a trusted certificate.
Select the certificate that you want to associate with this SSL proxy profile from the list.
Specifies the certificate that you created in the Device Administration > Certificate Management page of J-Web. In a public key infrastructure (PKI) hierarchy, the CA is at the top of the trust path. The CA identifies the server certificate as a trusted certificate.
Trusted Certificate Authorities
Select the trusted CA that are available on the device from the following options: All, None, Select specific.
If you choose Select specific, you need to select the Certificate Authorities from the Available column and move it to the Selected column.
Specifies addresses to create allowlists that bypass SSL forward proxy processing.
Select the addresses from the from the Available column and move it to the Selected column.
Because SSL encryption and decryption are complicated and expensive procedures, network administrators can selectively bypass SSL proxy processing for some sessions. Such sessions mostly include connections and transactions with trusted servers or domains with which network administrators are very familiar. There are also legal requirements to exempt financial and banking sites. Such exemptions are achieved by configuring the IP addresses or domain names of the servers under allowlists.
Exempted URL Categories
Specifies URL categories to create allowlists that bypass SSL forward proxy processing.
Select URL categories from the from the Available column and move it to the Selected column.
These URL categories are exempted during SSL inspection. Only the predefined URL categories can be selected for the exemption.
Server Auth Failure
Select the check box to ignore server authentication completely.
In this case, SSL forward proxy ignores errors encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry).
We do not recommend this option for authentication, because configuring it results in websites not being authenticated at all. However, you can use this option to effectively identify the root cause for dropped SSL sessions.
Select the check box if you do not want session resumption.
To improve throughput and still maintain an appropriate level of security, SSL session resumption provides a session caching mechanism so that session information, such as the pre-master secret key and agreed-upon ciphers, can be cached for both the client and server.
Select an option from the list to generate logs.
You can choose to log All events, Warning, Info, Errors, or different sessions (allowlisted, Allowed, Dropped, or Ignored).
After a session is created and SSL tunnel transport has been established, a change in SSL parameters requires renegotiation. SSL forward proxy supports both secure (RFC 5746) and nonsecure (TLS v1.0 and SSL v3) renegotiation.
You can specify whether to Allow nonsecure renegotiation, Allow-secure renegotiation, or Drop renegotiation.
When session resumption is enabled, session renegotiation is useful in the following situations:
Select if a change in SSL parameters requires renegotiation. The options are: None (selected by default), Allow, Allow-secure, and Drop.
Select the check box if you want to revoke the certificate.
If CRL info not present
Specifies if you want to allow or drop if CRL info is not present.
Select the following actions from the list if CRL info is not present : Allow session, Drop session, or None.
Hold Instruction Code
Select Ignore if you want to keep the instruction code on hold.
|Mirror Decrypt Traffic|
Select an SSL decryption port mirroring interface from the list. This is an Ethernet interface on SRX Series device through which the copy of the SSL decrypted traffic is forwarded to a mirror port.
Only after Security Policies Enforcement
Select the check box to enable forwarding the copy of the decrypted traffic to the external mirror traffic collector after enforcing the Layer 7 security services through a security policy.
Enter the MAC address of the external mirror traffic collector port.