Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

SSL Decryption Mirroring

SSL decryption mirroring feature enables you to monitor SSL decrypted application traffic entering and exiting the SRX Series Firewall. For more information on SSL decryption mirroring, read this topic.

Understanding SSL Decryption Mirroring Functionality

Starting in Junos OS Release 18.4R1, SSL decryption mirroring functionality for SSL forward proxy and for SSL reverse proxy is introduced.

SSL decryption mirroring feature enables you to monitor SSL decrypted application traffic entering and exiting the SRX Series Firewall. When you enable this feature, the SRX Series Firewall uses an Ethernet interface—the configured SSL decryption mirroring interface—to forward a copy of the decrypted SSL traffic to a trusted traffic collection tool or a network analyzer for inspection and analysis. Typically, you connect this external monitoring device to the SSL decryption mirroring interface through a switching device. The external mirror traffic collector port is the port (or interface) that receives the copy of the decrypted traffic from the SSL decryption mirroring interface on the SRX Series Firewall.

To use the SSL decryption mirroring feature, you define an SSL proxy profile, and apply it to the security policy. The security policy rule allows you to define traffic that you want the device to decrypt. When you attach the SSL proxy profile to the security policy rule, the traffic matching the security policy rule is decrypted. The SSL decryption mirroring interface delivers a copy of decrypted HTTPS and STARTTLS (POP3S/SMTPS/IMAPS) traffic to a trusted external device or traffic collection tool for inspection and analysis.

The embedded 5-tuple data of the decrypted IP packet includes the same following values as the encrypted IP packets:

  • Source IP address

  • Destination IP address

  • Source port number

  • Destination port number

  • Protocol number

Retaining the same 5-tuple data without reconfiguration ensures that the decrypted traffic is saved in packet-capturing format (Wireshark) and you can replay the data later.

Only TCP sequence numbers and ACK numbers are constructed based on the actual decrypted payload forwarded on the SSL decryption mirroring port. If the decrypted packet size exceeds the maximum transmission unit (MTU) size of the SSL decryption mirroring port, then the decrypted payload is divided into multiple TCP segments based on the MTU size requirements.

SSL Decryption Mirroring Before or After Policy Enforcement

By default, the SRX Series Firewall forwards the SSL decrypted payload to the mirror port before Junos OS enforces Layer 7 security services, including IDP, Juniper ATP Cloud, and Content Security. This option allows you to replay events and analyze traffic that generates a threat or triggers a drop action.

You can also configure mirroring of the decrypted traffic after enforcing the security policy. With this option, only traffic that is forwarded through the security policy is mirrored. However, if the decrypted payload is modified while enforcing the security policy, the modified decrypted payload is forwarded on the mirror port. Similarly, if the decrypted traffic is dropped because of policy enforcement (for example, when a threat is detected in the decrypted traffic), that particular decrypted traffic is not forwarded on the mirror port.

SSL Decryption Mirroring Support

  • Supported for SSL forward proxy and SSL reverse proxy.

  • Supported for both IPv4 and IPv6 traffic.

  • The SSL decrypted traffic available on the mirror port is in cleartext format. All the cipher suites that are supported by SSL proxy support SSL decryption mirroring functionality. For the list of supported cipher suites, see SSL Proxy Overview.

Benefits of SSL Decryption Mirroring

  • Enables comprehensive data capture for auditing, forensic investigations, and historical purposes.

  • Provides data leak prevention.

  • Enables additional security processing done by third-party appliances for IDP, Content Security, and so on.

  • Provides insight about the threats involved.

Limitations

  • SSL decryption mirroring cannot be configured on the st0 tunnel interface.

SSL Decryption Mirroring Support in Chassis Cluster

Starting in Junos OS Release 18.4R1-S2 and Junos OS Release 19.2R1, the SSL decryption mirroring feature is supported on redundant Ethernet (reth) interface on SRX Series Firewalls operating in a chassis cluster.

Configuring SSL Decryption Mirroring

This example shows how to enable mirroring of SSL decrypted traffic on an SRX Series Firewall.

Configuration

Step-by-Step Procedure

Use the following steps to configure the SSL decryption mirroring.

  1. Define the SSL decryption mirroring interface with logical unit number 0.

  2. Specify the SSL decryption mirroring interface in the SSL proxy profile.

    Ge-0/0/2.0 is configured as designated SSL decryption mirroring interface.

  3. Specify the MAC address of the of the external mirror traffic collector port.

  4. Create a security policy by specifying the match criteria for the traffic.

  5. Attach the SSL proxy profile to the security policy rule.

    This configuration enables the external mirror traffic collector port (or interface) to receive the copy of the decrypted traffic from the SSL decryption mirroring interface on the SRX Series Firewall.

Results

From configuration mode, confirm your configuration by entering the show services ssl proxy profile and show security policies from-zone trust to-zone untrust policy commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Requirements

This example uses the following hardware and software components:

  • Any SRX Series Firewall with Junos OS Release 18.4R1 or later. This configuration example is tested for Junos OS Release 18.4R1.

No special configuration beyond device initialization is required before configuring this feature.

Before you begin:

  • Configure SSL proxy. See SSL Proxy Overview.

  • The SSL decryption mirroring interface that you configure doesn’t need to be part of any security zones.

  • Ensure that SSL decryption mirroring interface and the actual client-server SSL traffic processing interfaces are part of the same routing instance.

  • Ensure that the SSL decryption mirroring interface on the SRX Series Firewall and the external mirror traffic collector port must be part of the same broadcast domain.

Note:

You don’t need to configure a separate security policy to allow traffic from SRX Series Firewall to the SSL decryption mirroring interface..

Overview

In this example, configure an SSL forward proxy profile by specifying the name of the SSL decryption mirroring interface and the MAC address of the external mirror traffic collector port. Next, create a security policy and invoke the SSL proxy as application service on the permitted traffic. The traffic matching the security policy rule is decrypted. A copy of the decrypted SSL payload is then encapsulated into an IP packet and forwarded to the on the external mirror traffic collector port through SSL decryption mirroring interface.

Figure 1 illustrates the topology used in this example.

Figure 1: SSL Decryption MirroringSSL Decryption Mirroring

Table 1 provides the details of the parameters used in this example.

Table 1: Parameters Used in SSL Decryption Mirroring Example

Parameter

Name

SSL decryption mirroring interface on SRX Series Firewall

ge-0/0/2.0

MAC address of the external mirror traffic collector port

00:50:56:a6:5f:1f

SSL proxy profile

profile-1

Security policy

policy 1

Verification

Verify SSL Proxy Configuration

Purpose

Confirm that the configuration is working properly by displaying the SSL proxy statistics.

Action

From operational mode, enter the show services ssl proxy statistics command.

Release History Table
Release
Description
18.4R1
Starting in Junos OS Release 18.4R1, SSL decryption mirroring functionality for SSL forward proxy and for SSL reverse proxy is introduced