Configure SSL Forward Proxy
Configuring SSL Forward Proxy decryption on the firewall requires setting up the certificates needed for SSL Forward Proxy decryption and creating an SSL Forward Proxy decryption policy. The firewall can use self-signed certificates or certificates signed by an enterprise CA to perform SSL Forward Proxy decryption.
By default, the firewall determines the key size to use for the client certificates it generates based on the key size of the destination server certificate. You can optionally set a static key size to use regardless of the key size of the destination server certificate. See Configure the Key Size for SSL Forward Proxy Server Certificates.
Use the following task to configure SSL Forward Proxy, including how to set up the certificates and create a decryption policy.
Configure SSL Forward Proxy
Ensure that the appropriate interfaces are configured as either virtual wire, Layer 2, or Layer 3 interfaces. View configured interfaces on the Network > Interfaces > Ethernet tab. The Interface Type column displays if an interface is configured to be a Virtual Wire or Layer 2, or Layer 3 interface. You can select an interface to modify its configuration, including what type of interface it is.
Configure the forward trust certificate. Use either a self-signed certificate or a certificate signed by an enterprise CA. Using self-signed certificates When the certificate of the server that the client is connecting to is signed by a CA that is on the firewall’s trusted CA list, the firewall signs a copy of the server’s certificate with a self-signed forward trust certificate to present to the client for authentication. In this case, the self-signed certificate must be imported onto each client system so that the client recognizes the firewall as a trusted CA. Use self-signed certificates for SSL Forward Proxy decryption if you do not use an enterprise CA or if you are only intended to perform decryption for a limited number of client systems (or if you are planning to use a centralized deployment). To use a self-signed certificate: Select Device > Certificate Management > Certificates. Click Generate at the bottom of the window. Enter a Certificate Name, such as my-fwd-trust. Enter a Common Name, such as 192.168.2.1. This should be the IP or FQDN that will appear in the certificate. In this case, we are using the IP of the trust interface. Avoid using spaces in this field. Leave the Signed By field blank. Click the Certificate Authority check box to enable the firewall to issue the certificate. Selecting this check box creates a certificate authority (CA) on the firewall that is imported to the client browsers, so clients trust the firewall as a CA. Click Generate to generate the certificate. Click the new certificate my-fwd-trust to modify it and enable the Forward Trust Certificate option. Export the forward trust certificate for import into client systems by highlighting the certificate and clicking Export at the bottom of the window. Choose PEM format, and do not select the Export private key option. Because the certificate is self-signed, import it into the browser trusted root CA list on the client systems in order for the clients to trust it. When importing to the client browser, ensure the certificate is added to the Trusted Root Certification Authorities certificate store. On Windows systems, the default import location is the Personal certificate store. You can also simplify this process by using a centralized deployment, such as an Active Directory Group Policy Object (GPO). If the forward trust certificate is not imported on the client systems, users will see certificate warnings for each SSL site they visit. Click OK to save.
Using an Enterprise CA An enterprise CA can issue a signing certificate which the firewall can use to then sign the certificates for sites requiring SSL decryption. Send a Certificate Signing Request (CSR) for the enterprise CA to sign and validate. The firewall can then use the signed enterprise CA certificate for SSL Forward Proxy decryption. Because the enterprise CA is already trusted by the client systems, with this option, you do not need to distribute the certificate to client systems prior to configuring decryption. To use an enterprise CA signed certificate, generate a CSR: Select Device > Certificate Management > Certificates and click Generate. Enter a Certificate Name, such as my-fwd-proxy. In the Signed By drop-down, select External Authority (CSR). (Optional) If your enterprise CA requires it, add Certificate Attributes to further identify the firewall details, such as Country or Department. Click OK to save the CSR. The pending certificate is now displayed on the Device Certificates tab. Export the CSR: Select the pending certificate displayed on the Device Certificates tab. Click Export to download and save the certificate file. Leave Export private key unselected in order to ensure that the private key remains securely on the firewall. Click OK. Provide the certificate file to your enterprise CA. When you receive the signed enterprise CA certificate from your enterprise CA, save the signed enterprise CA certificate for import onto the firewall. Import the signed enterprise CA onto the firewall: Select Device > Certificate Management > Certificates and click Import. Enter the pending Certificate Name exactly (in this case, my-fwd-trust). The Certificate Name that you enter must exactly match the pending certificate’s name in order for the pending certificate to be validated. Select the signed Certificate File that you received from your enterprise CA. Click OK. The certificate is displayed as valid with the Key and CA check boxes selected. Select the validated certificate, in this case, my-fwd-proxy, to enable it as a Forward Trust Certificate to be used for SSL Forward Proxy decryption. Click OK.
Configure the forward untrust certificate. With SSL Forward Proxy decryption, when the site the client is connecting to uses a certificate signed by a CA that is not in the firewall’s trusted CA list, the firewall presents a forward untrust certificate to the client. The forward untrust certificate ensures that clients are prompted with a certificate warning when attempting to access sites with untrusted certificates. Click Generate at the bottom of the certificates page. Enter a Certificate Name, such as my-fwd-untrust. Set the Common Name, for example 192.168.2.1. Leave Signed By blank. Click the Certificate Authority check box to enable the firewall to issue the certificate. Click Generate to generate the certificate. Click OK to save. Click the new my-ssl-fw-untrust certificate to modify it and enable the Forward Untrust Certificate option. Do not export the forward untrust certificate for import into client systems. If the forward untrust certificate is imported on client systems, the users will not see certificate warnings for SSL sites with untrusted certificates. Click OK to save.
(Optional) Set the key size of the SSL Forward Proxy certificates that the firewall presents to clients. Changing the key size clears the current certificate cache. Select Device > Setup > Session and, in the Decryption Settings section, click Forward Proxy Server Certificate Settings. Select a Key Size: Defined by destination host (default), 1024-bit RSA, or 2048-bit RSA.
(Optional) Create a Decryption profile. Decryption profiles can be associated with a decryption policy, enabling the firewall to block and control various aspects of traffic that is being decrypted. An SSL Forward Proxy decryption profile can be used to perform checks for server certificates, unsupported modes, and failures and block or restrict traffic accordingly. For a complete list of checks that can be performed, navigate to Objects > Decryption Profiles on the firewall and click the help icon. Select Objects > Decryption Profile and click Add. Select the SSL Forward Proxy tab to block and control specific aspects of SSL tunneled traffic. For example, you can choose to terminate sessions if system resources are not available to process decryption by selecting Block sessions if resources not available. Click OK t o save the profile.
Configure a decryption policy. Select Policies > Decryption and click Add. On the General tab, give the policy a descriptive Name. On the Source and Destination tabs, select Any for the Source Zone and Destination Zone to decrypt all SSL traffic destined for an external server. If you want to specify traffic from or to certain sources or destinations for decryption, click Add. In the URL Category tab, leave Any to decrypt all traffic. If you only want to apply this profile to certain website categories, click Add. Selecting a URL Category is useful when excluding certain sites from decryption. See Configure Decryption Exceptions. On the Options tab, select Decrypt and select SSL Forward Proxy as the Type of decryption to perform. (Optional) Select a Decryption Profile to apply additional settings to decrypted traffic (see Step 5). Click OK to save.
Enable the firewall to forward decrypted SSL traffic for WildFire analysis. This is a WildFire best practice. To forward portable executables (PEs) only, you do not need a WildFire license; however forwarding advanced file types requires an active WildFire license. On a firewall with no virtual systems configured: Select Device > Setup > Content-ID. Edit the Content-ID settings and Allow Forwarding of Decrypted Content. Click OK to save the changes. On a firewall with multiple virtual systems configured: Select Device > Virtual Systems, select the virtual system you want to modify, and Allow Forwarding of Decrypted Content.
Commit the configuration. With an SSL Forward Proxy decryption policy enabled, all traffic identified by the policy is decrypted. Decrypted traffic is blocked and restricted according to the profiles configured on the firewall (including the decryption profiles associated with the policy and Antivirus, Vulnerability, Anti-Spyware, URL Filtering, and File-Blocking profiles). Traffic is re-encrypted as it exits the firewall.

Related Documentation