Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understanding How SSL Proxy Policy Intents Are Applied

When you deploy an SSL proxy policy, SSL proxy profiles are deployed to the applicable sites based on SSL proxy policy intents. The deployments of firewall and SSL polices are related in that firewall policy deployments take into account the last-deployed SSL snapshots and vice versa. Therefore, even if an SSL proxy profile is deployed to the applicable sites, it is applied only to traffic to which the firewall policy intent applies.

The decision regarding which SSL proxy profile is attached to a firewall policy intent is based on matching criteria between SSL proxy policy and firewall policy intents. In addition, if there is a match between the SSL proxy policy intent and the firewall policy intent, the SSL profile is applied only to the policy intents that are common between the firewall and the SSL proxy policies.

The following examples demonstrate the matching logic between SSL proxy policy and firewall policy intents.

Example 1: Firewall Policy Intent and SSL Proxy Policy Intent Match

Table 1 shows an example of a firewall policy intent and an SSL proxy policy intent that match, which means that the SSL proxy profile attaches to the firewall policy intent. In this case, the firewall policy intent has a source and destination of Any IP address, which signifies traffic from any IP address from any site to any IP address on the Internet. The SSL proxy policy intent has a source of Any IP address, which signifies any IP address from any site, and a destination IP address of 198.51.100.0.

Therefore, there is a match between the firewall policy intent and the SSL proxy policy intent and the SSL proxy profile is applied only to traffic from any IP address of any site to the IP address 198.51.100.0.

Table 1: (Example) Match Between Firewall Policy Intent and SSL Proxy Policy Intent

Type

Source

Destination

Action or Profile

Firewall policy intent

IP address—Any

IP address—Any

Allow

SSL proxy policy intent

IP address—Any

IP address—198.51.100.0

SSL-Profile-1

Example 2: Firewall Policy Intent and SSL Proxy Policy Intent Do Not Match

Table 2 shows an example of a firewall policy intent and an SSL proxy policy intent that do not match, which means that the SSL proxy profiles do not attach.

Although, at first glance, it appears that an SSL proxy policy intent with a source and destination IP address Any should match a firewall policy intent with a source IP address Any and destination department Finance, this is not the case because of what the IP address Any signifies in the destination.

For both firewall and SSL proxy policy intents:

  • A source IP address value of Any signifies any IP address from any site.

  • A destination IP address value of Any signifies traffic going to the Internet—that is, to any IP address on the Internet. Traffic within sites (internal traffic) is not covered by the destination IP address value of Any.

In this example, the firewall policy intent applies to traffic from any IP address (from any site) to the Finance department. However, the SSL proxy policy intent applies to traffic from any IP address (from any site) to any IP address on the Internet. This means that there is no match between the firewall policy intent and the SSL proxy policy intent and the SSL proxy profile does not attach.

Table 2: (Example) No Match Between Firewall Policy Intent and SSL Proxy Policy Intent

Type

Source

Destination

Action or Profile

Firewall policy intent

IP address—Any

Department—Finance

Allow

SSL proxy policy intent

IP address—Any

IP address—Any

SSL-Profile-2

Example 3: Applying SSL Proxy Policy Intents on Internal (Site-to-Site) Traffic

Note:

SSL forward proxy typically might not be used for site-to-site traffic, but this example is provided as an explanation of how an SSL proxy policy intent applies to site-to-site traffic.

Consider a scenario in which you have three sites (A, B, C) and you want to configure an SSL proxy for traffic between the sites. Table 3 displays the firewall policy and SSL proxy policy intents that you can use for such a scenario.

Both the firewall policy intent and the SSL proxy policy intent use Site A, Site B, and Site C as the source and destination. Therefore, the firewall policy intent and the SSL proxy policy intent match, and the SSL proxy profile attaches to the firewall policy intent.

Note:

The destination must be Site A, Site B, and Site C because the destination IP address Any signifies any IP address on the Internet.

Table 3: (Example) Firewall Policy and SSL Proxy Policy Intents for Site-to-Site Traffic

Type

Source

Destination

Action or Profile

Firewall Policy Intent

Site A, Site B, Site C

Site A, Site B, Site C

Allow

SSL Proxy Policy Intent

Site A, Site B, Site C

Site A, Site B, Site C

SSL-Profile-3