Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Add an SSL Proxy Profile

 

You are here: Security Services > SSL Profiles > SSL Proxy.

To add an SSL proxy profile:

  1. Click the add icon (+) on the upper right side of the SSL Proxy Profile page.

    The Create SSL Proxy Profile page appears.

  2. Complete the configuration according to the guidelines provided in Table 1.
  3. Click OK to save the changes. If you want to discard your changes, click Cancel.

Table 1: Fields on the Create SSL Proxy Profile Page

Field

Action

General Information

Name

Enter a name of the SSL proxy profile.

The string must contain alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.

Preferred Cipher

Specifies the cipher depending on their key strength. Select a preferred cipher from the list:

  • Medium—Use ciphers with key strength of 128 bits or greater.

  • Strong—Use ciphers with key strength of 168 bits or greater.

  • Weak—Use ciphers with key strength of 40 bits or greater.

  • Custom—Configure custom cipher suite and order of preference.

Custom Ciphers

Specifies the set of ciphers the SSH server can use to perform encryption and decryption functions. If this option is not configured, the server accepts any supported suite that is available.

Select the set of ciphers from the list:

  1. rsa-with-RC4-128-md5—RSA, 128-bit RC4, MD5 hash

  2. rsa-with-RC4-128-sha—RSA, 128-bit RC4, SHA hash

  3. rsa-with-des-cbc-sha—RSA, DES/CBC, SHA hash

  4. rsa-with-3DES-ede-cbc-sha—RSA, 3DES EDE/CBC, SHA hash

  5. rsa-with-aes-128-cbc-sha—RSA, 128-bit AES/CBC, SHA hash

  6. rsa-with-aes-256-cbc-sha—RSA, 256-bit AES/CBC, SHA hash

  7. rsa-export-with-rc4-40-md5—RSA-export, 40-bit RC4, MD5 hash

  8. rsa-export-with-des40-cbc-sha—RSA-export, 40-bit DES/CBC, SHA hash

  9. rsa-with-aes-256-gcm-sha384—RSA, 256-bit AES/GCM, SHA384 hash

  10. rsa-with-aes-256-cbc-sha256—RSA, 256-bit AES/CBC, SHA256 hash

  11. rsa-with-aes-128-gcm-sha256—RSA, 128-bit AES/GCM, SHA256 hash

  12. rsa-with-aes-128-cbc-sha256—RSA, 256-bit AES/CBC, SHA256 hash

  13. ecdhe-rsa-with-aes-256-gcm-sha384—ECDHE, RSA, 256-bit AES/GCM, SHA384 hash

  14. ecdhe-rsa-with-aes-256-cbc-sha—ECDHE, RSA, 256-bit AES/CBC, SHA hash

  15. ecdhe-rsa-with-aes-256-cbc-sha384—ECDHE, RSA, 256-bit AES/CBC, SHA384 hash

  16. ecdhe-rsa-with-aes-3des-ede-cbc-sha—ECDHE, RSA, 3DES, EDE/CBC, SHA hash

  17. ecdhe-rsa-with-aes-128-gcm-sha256—ECDHE, RSA, 128-bit AES/GCM, SHA256 hash

  18. ecdhe-rsa-with-aes-128-cbc-sha—ECDHE, RSA, 128-bit AES/CBC, SHA hash

  19. ecdhe-rsa-with-aes-128-cbc-sha256—ECDHE, RSA, 128-bit AES/CBC, SHA256 hash

Flow Trace

Select the check box to enable flow trace for troubleshooting policy-related issues. Else leave it blank.

Certificate Type

Specifies whether the certificate that you want to associate with this profile is a root CA or server certificate. Server certificate is used for SSL reverse proxy. If you choose server certificate, the trusted CA, CRL, and server auth failure options will not be available. For forward proxy profile, choose the root CA

In a public key infrastructure (PKI) hierarchy, the root CA is at the top of the trust path. The root CA identifies the server certificate as a trusted certificate.

Certificate

Select the certificate that you want to associate with this SSL proxy profile from the list.

Specifies the certificate that you created in the Device Administration > Certificate Management page of J-Web. In a public key infrastructure (PKI) hierarchy, the CA is at the top of the trust path. The CA identifies the server certificate as a trusted certificate.

Trusted Certificate Authorities

Select the trusted CA that are available on the device from the following options: All, None, Select specific.

If you choose Select specific, you need to select the Certificate Authorities from the Available column and move it to the Selected column.

Exempted Addresses

Specifies addresses to create allowlists that bypass SSL forward proxy processing.

Select the addresses from the from the Available column and move it to the Selected column.

Because SSL encryption and decryption are complicated and expensive procedures, network administrators can selectively bypass SSL proxy processing for some sessions. Such sessions mostly include connections and transactions with trusted servers or domains with which network administrators are very familiar. There are also legal requirements to exempt financial and banking sites. Such exemptions are achieved by configuring the IP addresses or domain names of the servers under allowlists.

Exempted URL Categories

Specifies URL categories to create allowlists that bypass SSL forward proxy processing.

Select URL categories from the from the Available column and move it to the Selected column.

These URL categories are exempted during SSL inspection. Only the predefined URL categories can be selected for the exemption.

Actions

Server Auth Failure

Select the check box to ignore server authentication completely.

In this case, SSL forward proxy ignores errors encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry).

We do not recommend this option for authentication, because configuring it results in websites not being authenticated at all. However, you can use this option to effectively identify the root cause for dropped SSL sessions.

Session Resumption

Select the check box if you do not want session resumption.

To improve throughput and still maintain an appropriate level of security, SSL session resumption provides a session caching mechanism so that session information, such as the pre-master secret key and agreed-upon ciphers, can be cached for both the client and server.

Logging

Select an option from the list to generate logs.

You can choose to log All events, Warning, Info, Errors, or different sessions (allowlisted, Allowed, Dropped, or Ignored).

Renegotiation

After a session is created and SSL tunnel transport has been established, a change in SSL parameters requires renegotiation. SSL forward proxy supports both secure (RFC 5746) and nonsecure (TLS v1.0 and SSL v3) renegotiation.

You can specify whether to Allow nonsecure renegotiation, Allow-secure renegotiation, or Drop renegotiation.

When session resumption is enabled, session renegotiation is useful in the following situations:

  • Cipher keys need to be refreshed after a prolonged SSL session.

  • Stronger ciphers need to be applied for a more secure connection.

Select if a change in SSL parameters requires renegotiation. The options are: None (selected by default), Allow, Allow-secure, and Drop.

Certificate Revocation

Select the check box if you want to revoke the certificate.

If CRL info not present

Specifies if you want to allow or drop if CRL info is not present.

Select the following actions from the list if CRL info is not present : Allow session, Drop session, or None.

Hold Instruction Code

Select Ignore if you want to keep the instruction code on hold.

Mirror Decrypt Traffic

Interface

Select an SSL decryption port mirroring interface from the list. This is an Ethernet interface on SRX Series device through which the copy of the SSL decrypted traffic is forwarded to a mirror port.

Only after Security Policies Enforcement

Select the check box to enable forwarding the copy of the decrypted traffic to the external mirror traffic collector after enforcing the Layer 7 security services through a security policy.

MAC Address

Enter the MAC address of the external mirror traffic collector port.