SSL Inspection
 
SSL Inspection
Secure Socket Layer (SSL) traffic, such as https://www.google.com/HTTPS, FTPs, POP3s, SMTPs, etc. is encrypted, and cannot be inspected using Unified Threat Management (UTM) profiles such as App Patrol, Content Filter, Intrusion, Detection and Prevention (IDP), or Anti-Virus. The Zyxel Device uses SSL Inspection to decrypt SSL traffic, sends it to the UTM engines for inspection, then encrypts traffic that passes inspection and forwards it to the destination server, such as Google.
Note: Anti-Spam cannot be applied to traffic decrypted by SSL Inspection.
Use the UTM Profile > SSL Inspection > Profile screen ( SSL Inspection Profile) to view SSL Inspection profiles. Click the Add or Edit icon in this screen to configure the CA certificate, action and log in an SSL Inspection profile.
Use the UTM Profile > SSL Inspection > Exclude List screens ( Exclude List Screen) to create a whitelist of destination servers to which traffic is passed through uninspected.
What You Need To Know
Supported Cipher Suite
DES (Data Encryption Standard)
3DES
AES (Advanced Encryption Standard)
SSLv3/TLS1.0 (Transport Layer Security) Support
SSLv3/TLS1.0 is currently supported with option to pass or block SSLv2 traffic
Traffic using TLS1.1 (Transport Layer Security) or TLS1.2 is downgraded to TLS1.0 for SSL Inspection
No Compression Support Now
No Client Authentication Request Support Now
Finding Out More
See Configuration > Object > Certificate > My Certificates for information on creating certificates on the Zyxel Device.
See Monitor > UTM Statistics > SSL Inspection to get usage data and easily add a destination server to the whitelist of exclusion servers.
See Configuration > Security Policy > Policy Control > Policy to bind an SSL Inspection profile to a traffic flow(s).
Before You Begin
If you don’t want to use the default Zyxel Device certificate, then create a new certificate in Object > Certificate > My Certificates.
Decide what destination servers to which traffic is sent directly without inspection. This may be a matter of privacy and legality regarding inspecting an individual’s encrypted session, such as financial websites. This may vary by locale.
SSL Inspection Profile
An SSL Inspection profile is a template with pre-configured certificate, action and log.
Configuration > UTM Profile > SSL Inspection > Profile  
label
Description
Profile Management
 
Add
Click Add to create a new profile.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
References
Select an entry and click References to open a screen that shows which settings use the entry.Click Refresh to update information on this screen.
#
This is the entry’s index number in the list.
Name
This displays the name of the profile.
Description
This displays the description of the profile.
CA Certificate
This displays the CA certificate being used in this profile.
Reference
This displays the number of times an object reference is used in a profile.
Add / Edit SSL Inspection Profiles
Configuration > UTM Profile > SSL Inspection > Profile > Add / Edit 
LABEL
Description
Name
This is the name of the profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. These are valid, unique profile names:
MyProfile
mYProfile
Mymy12_3-4
These are invalid profile names:
1mYProfile
My Profile
MyProfile?
Whatalongprofilename123456789012
Description
Enter additional information about this SSL Inspection entry. You can enter up to 60 characters ("0-9", "a-z", "A-Z", "-" and "_").
CA Certificate
This contains the default certificate and the certificates created in Object > Certificate > My Certificates. Choose the certificate for this profile.
Severity Level
Select a severity level and these use the icons to enable/disable and configure logs and actions for all signatures of that level.
Action for connection with SSL v2
SSL Inspection supports SSLv3 and TLS1.0. Select to pass or block SSLv2 traffic that matches traffic bound to this policy here.
Log
These are the log options for SSLv2 traffic that matches traffic bound to this policy:
no: Select this option to have the Zyxel Device create no log for SSLv2 traffic that matches traffic bound to this policy.
log: Select this option to have the Zyxel Device create a log for SSLv2 traffic that matches traffic bound to this policy.
log alert: An alert is an e-mailed log for more serious events that may need more immediate attention. They also appear in red in the Monitor > Log screen. Select this option to have the Zyxel Device send an alert for SSLv2 traffic that matches traffic bound to this policy.
Action for Connection with unsupported suit
SSL Inspection supports these cipher suites:
DES
3DES
AES
Select to pass or block unsupported traffic (such as other cipher suites, compressed traffic, client authentication requests, and so on) that matches traffic bound to this policy here.
Log
These are the log options for unsupported traffic that matches traffic bound to this policy:
no: Select this option to have the Zyxel Device create no log for unsupported traffic that matches traffic bound to this policy.
log: Select this option to have the Zyxel Device create a log for unsupported traffic that matches traffic bound to this policy
log alert: An alert is an e-mailed log for more serious events that may need more immediate attention. They also appear in red in the Monitor > Log screen. Select this option to have the Zyxel Device send an alert for unsupported traffic that matches traffic bound to this policy.
Excepted Signatures
Use the icons to enable/disable and configure logs and actions for individual signatures that are different to the general settings configured for the severity level to which the signatures belong. Signatures configured in Query View will appear in Group View.
Add
Click this to configure settings to a signature that are different to the severity level to which it belongs.
Remove
Select an existing signature exception and then click this to delete the exception.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Log
To edit an item’s log option, select it and use the Log icon. These are the log options:
no: Select this option on an individual signature or a complete service group to have the Zyxel Device create no log when a packet matches a signature(s).
log: Select this option on an individual signature or a complete service group to have the Zyxel Device create a log when a packet matches a signature(s).
log alert: An alert is an e-mailed log for more serious events that may need more immediate attention. Select this option to have the Zyxel Device send an alert when a packet matches a signature(s).
Action
To edit what action the Zyxel Device takes when a packet matches a signature, select the signature and use the Action icon.
none: Select this action on an individual signature or a complete service group to have the Zyxel Device take no action when a packet matches the signature(s).
drop: Select this action on an individual signature or a complete service group to have the Zyxel Device silently drop a packet that matches the signature(s). Neither sender nor receiver are notified.
reject-sender: Select this action on an individual signature or a complete service group to have the Zyxel Device send a reset to the sender when a packet matches the signature. If it is a TCP attack packet, the Zyxel Device will send a packet with a ‘RST’ flag. If it is an ICMP or UDP attack packet, the Zyxel Device will send an ICMP unreachable packet.
reject-receiver: Select this action on an individual signature or a complete service group to have the Zyxel Device send a reset to the receiver when a packet matches the signature. If it is a TCP attack packet, the Zyxel Device will send a packet with an a ‘RST’ flag. If it is an ICMP or UDP attack packet, the Zyxel Device will do nothing.
reject-both: Select this action on an individual signature or a complete service group to have the Zyxel Device send a reset to both the sender and receiver when a packet matches the signature. If it is a TCP attack packet, the Zyxel Device will send a packet with a ‘RST’ flag to the receiver and sender. If it is an ICMP or UDP attack packet, the Zyxel Device will send an ICMP unreachable packet.
#
This is the entry’s index number in the list.
Status
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
SID
Type the exact signature ID (identification) number that uniquely identifies a Zyxel Device IDP signature.
Log
These are the log options. To edit this, select an item and use the Log icon.
Action
This is the action the Zyxel Device should take when a packet matches a signature here. To edit this, select an item and use the Action icon.
OK
Click OK to save your settings to the Zyxel Device, and return to the profile summary page.
Cancel
Click Cancel to return to the profile summary page without saving any changes.
Exclude List Screen
There may be privacy and legality issues regarding inspecting a user's encrypted session. The legal issues may vary by locale, so it's important to check with your legal department to make sure that it’s OK to intercept SSL traffic from your Zyxel Device users.
To ensure individual privacy and meet legal requirements, you can configure an exclusion list to exclude matching sessions to destination servers. This traffic is not intercepted and is passed through uninspected.
 
Configuration > UTM Profile > SSL Inspection > Exclude List 
LABEL
Description
General Settings
 
Enable Logs for Exclude List
Click this to create a log for traffic that bypasses SSL Inspection.
Exclude List Settings
Use this part of the screen to create, edit, or delete items in the SSL Inspection exclusion list.
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
#
This is the entry’s index number in the list.
Exclude List of Certificate Identity
SSL traffic to a server to be excluded from SSL Inspection is identified by its certificate. Identify the certificate in one of the following ways:
The Common Name (CN) of the certificate. The common name of the certificate can be created in the Object > Certificate > My Certificates screen.
Type an IPv4 or IPv6 address. For example, type 192.168.1.35, or 2001:7300:3500::1
Type an IPv4/IPv6 in CIDR notation. For example, type 192.168.1.1/24, or 2001:7300:3500::1/64
Type an IPv4/IPv6 address range. For example, type 192.168.1.1-192.168.1.35, or 2001:7300:3500::1-2001:7300:3500::35
Type an email address. For example, type abc@zyxel.com.tw
Type a DNS name or a common name (wildcard char: '*', escape char: '\'). Use up to 127 case-insensitive characters (0-9a-zA-Z`~!@#$%^&*()-_=+[]{}\|;:',.<>/?). ‘*’ can be used as a wildcard to match any string. Use ‘\*’ to indicate a single wildcard character.
Alternatively, to automatically add an entry for existing SSL traffic to a destination server, go to Monitor > UTM Statistics > SSL Inspection > Certificate Cache List, select an item and then click Add to Exclude List. The item will then appear here.
Apply
Click Apply to save your settings to the Zyxel Device.
Reset
Click Reset to return to the profile summary page without saving any changes.
Certificate Update
Use this screen to update the latest certificates of servers using SSL connections to the Zyxel Device network.
 
Configuration > UTM Profile > SSL Inspection > Certificate Update 
LABEL
Description
Certificate Information
 
Current Version
This displays the current certificate set version.
Certificate Update
You should have Internet access and have activated SSL Inspection on the Zyxel Device at myZyxel.
Update Now
Click this button to download the latest certificate set from the myZyxel and update it on the Zyxel Device.
Auto Update
Select this to automatically have the Zyxel Device update the certificate set when a new one becomes available on myZyxel.
Apply
Click Apply to save your settings to the Zyxel Device.
Reset
Click Reset to return to the profile summary page without saving any changes.