Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Creating SSL Forward Proxy Profiles

Use this page to configure SSL forward proxy profiles. SSL proxy is enabled as an application service within a security policy. You specify the traffic that you want the SSL proxy enabled on as match criteria and then specify the SSL proxy profile to be applied to the traffic.

To create an SSL forward proxy profile:

Note:

Ensure that you have a root certificate imported for the tenant before you create an SSL forward proxy profile. You can import SSL certificates (root and trusted) from the Certificates page (Administration > Certificates) and associate the certificates with SSL forward proxy profiles.

  1. Select Configuration > SSL Proxy > Profiles in Customer Portal.

    The SSL Proxy Profiles page appears.

  2. Click the add icon (+) to create an SSL forward proxy profile.

    The Create SSL Proxy Profiles page appears.

  3. Complete the configuration according to the guidelines provided in Table 1.
    Note:

    Fields marked with an asterisk (*) are mandatory.

  4. Click OK.

    An SSL forward proxy profile is created. You are returned to the SSL Proxy Profiles page where a confirmation message is displayed.

    The SSL forward proxy profile can be used in an SSL proxy policy intent (Configuration > SSL Proxy > Policy).

Table 1: Creating SSL Forward Proxy Profile Settings

Setting

Guideline

General Information

Name

Enter a unique name for the profile, which is string of alphanumeric characters and some special characters (- _). No spaces are allowed and the maximum length is 63 characters.

Description

Enter a description for the profile. The maximum length is 255 characters.

Preferred Cipher

Select a preferred cipher. Preferred ciphers enable you to define an SSL cipher that can be used with acceptable key strength. You can select from the following categories:

  • None (Default)—Do not specify a preferred cipher.

  • Medium—Use ciphers with key strength of 128 bits or greater.

  • Strong—Use ciphers with key strength of 168 bits or greater.

  • Weak—Use ciphers with key strength of 40 bits or greater.

  • Custom—Configure a custom cipher suite.

Custom Ciphers

If you specified Custom as the preferred cipher, you can define a custom cipher list by selecting ciphers.

Select the set of ciphers that the SSH server can use to perform encryption and decryption functions.

The available custom ciphers are:

  • rsa-with-RC4-128-md5—RSA, 128- bit RC4, MD5 hash

  • rsa-with-RC4-128-sha—RSA, 128-bit RC4, SHA hash

  • rsa-with-des-cbc-sha—RSA, DES/CBC, SHA hash

  • rsa-with-3DES-ede-cbc-sha—RSA, 3DES EDE/CBC, SHA hash

  • rsa-with-aes-128-cbc-sha—RSA, 128-bit AES/CBC, SHA hash

  • rsa-with-aes-256-cbc-sha—RSA, 256 bit AES/CBC, SHA hash

  • rsa-export-with-rc4-40-md5—RSA-export, 40 bit RC4, MD5 hash

  • rsa-export-with-des40-cbc-sha—RSA-export, 40 bit DES/CBC, SHA hash

  • rsa-export1024-with-des-cbc-sha—RSA 1024 bit export, DES/CBC, SHA hash

  • rsa-export1024-with-rc4-56-md5—RSA 1024 bit export, 56 bit RC4, MD5 hash

  • rsa-export1024-with-rc4-56-sha—RSA 1024 bit export, 56 bit RC4, SHA hash

  • rsa-with-aes-256-gcm-sha384—RSA, 256 bit AES/GCM, SHA384 hash

  • rsa-with-aes-256-cbc-sha256—RSA, 256 bit AES/CBC, SHA256 hash

  • rsa-with-aes-128-gcm-sha256—RSA, 128 bit AES/GCM, SHA256 hash

  • rsa-with-aes-128-cbc-sha256—RSA, 256 bit AES/CBC, SHA256 hash

  • ecdhe-rsa-with-aes-256-gcm-sha384—ECDHE, RSA, 256 bit AES/GCM, SHA384 hash

  • ecdhe-rsa-with-aes-256-cbc-sha384—ECDHE, RSA, 256 bit AES/CBC, SHA384 hash

  • ecdhe-rsa-with-aes-256-cbc-sha—ECDHE, RSA, 256 bit AES/CBC, SHA hash

  • ecdhe-rsa-with-aes-3des-ede-cbc-sha—ECDHE, RSA, 3DES, EDE/CBC, SHA hash

  • ecdhe-rsa-with-aes-128-gcm-sha256—ECDHE, RSA, 128 bit AES/GCM, SHA256 hash

  • ecdhe-rsa-with-aes-128-cbc-sha256—ECDHE, RSA, 128 bit AES/CBC, SHA256 hash

  • ecdhe-rsa-with-aes-128-cbc-sha—ECDHE, RSA, 128 bit AES/CBC, SHA hash

Flow Trace

Select this option to enable flow tracing to enable the troubleshooting of policy-related issues.

Root Certificate

Select or add a root certificate. In a public key infrastructure (PKI) hierarchy, the root certificate authority (CA) is at the top of the trust path.

Trusted Certificate Authorities

Choose whether you want to add all trusted certificates present on the device (All) or select specific trusted certificates. Before establishing a secure connection, the SSL proxy checks CA certificates to verify signatures on server certificates.

Note:

  • Specifying that all trusted certificates should be used means that all trusted certificates on a particular device (site) will be used during SSL policy deployment.

  • If you specify that all trusted certificates should be used in an SSL forward proxy profile, you must ensure that at least one trusted certificate is installed on the device.

Actions

Exempted Addresses

Exempted addresses include addresses that you want to exempt from undergoing SSL proxy processing.

To specify exempted addressees, select one or more addresses in the Available column and click the forward arrow to confirm your selection. The selected addresses are then displayed in the Selected column. These addresses are used to create allowlists that bypass SSL forward proxy processing.

Because SSL encryption and decryption are complicated and expensive procedures, network administrators can selectively bypass SSL proxy processing for some sessions.

Such sessions typically include connections and transactions with trusted servers or domains with which network administrators are very familiar. There are also legal requirements to exempt financial and banking sites. Such exemptions are achieved by configuring the IP addresses or domain names of the servers under allowlists.

Note:

You can also add addresses by clicking Add New Address. The Create Addresses page appears. See Creating Addresses or Address Groups.

Exempted URL Categories

Select the previously defined URL categories to create allowlists that bypass SSL forward proxy processing. The selected URL categories are exempted during SSL inspection.

Server Auth Failure

Select this check box to ignore errors encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry). This check box is cleared by default.

We do not recommend this option for authentication, because configuring it results in websites not being authenticated at all. However, you can use this option to effectively identify the root cause for dropped SSL sessions.

Session Resumption

Select this check box to disable session resumption. This check box is cleared by default.

To improve throughput and still maintain an appropriate level of security, SSL session resumption provides a session-caching mechanism so that session information, such as the pre-master secret key and agreed-upon ciphers, can be cached for both the client and server.

Logging

Select one or more events to be logged. You can choose to log all events, warnings, general information, errors, or different sessions (allowed, dropped, or ignored). Logging is disabled by default.

Renegotiation

Select one of the following options if a change in SSL parameters requires renegotiation:

  • None (default)—Indicates that renegotiation is not required.

  • Allow—Allow secure and nonsecure renegotiation.

  • Allow-secure—Allow secure negotiation only.

  • Drop—Drop session on renegotiation request.

After a session is created and SSL tunnel transport has been established, a change in SSL parameters requires renegotiation. SSL forward proxy supports both secure (RFC 5746) and nonsecure (TLS v1.0 and SSL v3) renegotiation.

When session resumption is enabled, session renegotiation is useful in the following situations:

  • Cipher keys need to be refreshed after a prolonged SSL session.

  • Stronger ciphers need to be applied for a more secure connection.

Related Documentation