ssl-inspection
Syntax
ssl-inspection {
cache-prune-chunk-size number;
key-protection;
maximum-cache-size number;
session-id-cache-timeout seconds;
sessions number;
}
Hierarchy Level
[edit security idp sensor-configuration]
Description
Inspect HTTP traffic encrypted in SSL protocol. SSL inspection is disabled by default. It is enabled if you configure SSL inspection.
With the Intrusion Detection and Prevention (IDP) Secure Sockets Layer (SSL) decryption feature, SRX Series Firewalls load configured RSA private keys to memory and use them to establish SSL session keys to decrypt data. IDP is required to decrypt the RSA keys and to check the integrity before performing normal encryption or decryption operations using the keys.
Options
The remaining statements are explained separately. See CLI Explorer.
| cache-prune-chunk-size | Number of cache entries to delete when pruning SSL session ID cache.
|
| key-protection | Enabling key protection provides improved security. When key protection is enabled, persistent keys are encrypted when not in use. Enabling or disabling of this option requires rebooting the device. Enable secure key handling. This option is off by default. |
| maximum-cache-size | Maximum SSL session ID cache size.
|
| session-id-cache-timeout | Sets the timeout value for an IDP session ID cache (range: 1 through 7200 seconds).
|
| sessions | Maximum number of SSL sessions for inspection. This limit is per Services Processing Unit (SPU).
|
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statements introduced in Junos OS Release 9.3.
Options cache-prune-chunk-size and maximum-cache-size introduced in Junos OS Release
10.2.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.