label | Description |
|---|---|
General Settings | |
Server Signed Certificate Key Mode | With SSL inspection, the acts as a 'man-in-the-middle' between a client and a remote server, when the client and server are communicating using an SSL-encrypted session. Every time the client and server send data to each other, the decrypts the sender’s encrypted data, scans the plain data for threats, re-encrypts the data, and then sends the encrypted data to the receiver. • For outgoing sessions from the client to the remote server, the creates a virtual server to decrypt data and a virtual client to re-encrypt data. • For incoming sessions from the remote server to the client, the creates a virtual client to decrypt data, and a virtual server to re-encrypt data. To perform SSL Inspection for clients using SSL (HTTPS, SSH, SMTP) through the , the must check that the server’s certificate with corresponding public key are valid and were issued by a Certificate Authority (CA) listed in the Zyxel Device's list of trusted CAs. According to the selected key mode RSA 1024, RSA 2048, ECDSA-RSA-1024 or ECDSA-RSA-2048, the will construct the corresponding self-signed certificate for the virtual server. RSA is a public-key cryptosystem used for data encryption or signing messages. For data encryption, the encryption key is public and the decryption key is private. For signing messages, the signing key is private and the verification key is public. Elliptic Curve Cryptography (ECC) is a public-key cryptosystem based on elliptic curve theory, and more efficient than RSA. ECC allows smaller keys compared to RSA to provide equivalent security. For example, a 224-bit elliptic curve public key should provide comparable security to a 2048-bit RSA public key. • ECDSA-RSA-1024 indicates support for clients that support both ECDSA-256 and RSA-1024 with ECDSA-256 having higher priority, that is ECDSA-256 is used by the virtual server, if a client supports both ECDSA-256 and RSA-1024. • ECDSA-RSA-2048 indicates support for clients that support both ECDSA-256 and RSA-2048 with ECDSA-256 having higher priority, that is ECDSA-256 is used by the virtual server, if a client supports both ECDSA-256 and RSA-2048. Select a mode that the client’s browser, FTP client, or mail client supports. The will use different keys (cryptosystems) for each client according to the client’s support list. For example, if there are three clients behind a with the following key mode support: • Client 1 - RSA-1024 • Client 2 - RSA-2048 and RSA-1024 • Client 3 - ECDSA-256 and RSA-2048. If you set the key mode to ECDSA-RSA-1024, then the following will be used by each client: • Client 1 - RSA-1024 • Client 2 - RSA-1024 • Client 3 - ECDSA-256. If you set the key mode to ECDSA-RSA-2048, then the following will be used by each client: • Client 1 - sessions will not be processed (pass) by SSL inspection • Client 2 - RSA-2048 • Client 3 - ECDSA-256. |
Profile Management | |
Add | Click Add to create a new profile. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
References | Select an entry and click References to open a screen that shows which settings use the entry.Click Refresh to update information on this screen. |
# | This is the entry’s index number in the list. |
Name | This displays the name of the profile. |
Description | This displays the description of the profile. |
CA Certificate | This displays the CA certificate being used in this profile. |
Reference | This displays the number of times an object reference is used in a profile. |
Action | Click this icon to apply the entry to a security policy. Go to the Configuration > Security Policy > Policy Control screen to check the result. |
Label | Description |
|---|---|
Show Filter/Hide Filter | Click Show Filter to display IPv4 and IPv6 (if enabled) security policy search filters. |
IPv4 / IPv6 Configuration | Use IPv4 / IPv6 search filters to find specific IPv4 and IPv6 (if enabled) security policies based on direction, application, user, source, destination and/or schedule. |
From / To | Select a zone to view all security policies from a particular zone and/or to a particular zone. any means all zones. |
IPv4 / IPv6 Source | Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 / IPv6 source address object used. • An IPv4 IP address is written as four integer blocks separated by periods. This is an example IPv4 address: 172.16.6.7. • An 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address: 2001:0db8:1a2b:0015:0000:0000:1a2f:0000. |
IPv4 / IPv6 Destination | Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 / IPv6 destination address object used. • An IPv4 IP address is written as four integer blocks separated by periods. This is an example IPv4 address: 172.16.6.7. • An 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address: 2001:0db8:1a2b:0015:0000:0000:1a2f:0000. |
Service | View all security policies based the service object used. |
User | View all security policies based on user or user group object used. |
Schedule | View all security policies based on the schedule object used. |
Priority | This is the position of your Security Policy in the global policy list (including all through-Zyxel Device and to-Zyxel Device policies). The ordering of your policies is important as policies are applied in sequence. Default displays for the default Security Policy behavior that the Zyxel Device performs on traffic that does not match any other Security Policy. |
Status | This icon is lit when the entry is active and dimmed when the entry is inactive. |
Name | This is the name of the Security policy. |
From / To | This is the direction of travel of packets. Select from which zone the packets come and to which zone they go. Security Policies are grouped based on the direction of travel of packets to which they apply. For example, from LAN to LAN means packets traveling from a computer or subnet on the LAN to either another computer or subnet on the LAN. From any displays all the Security Policies for traffic going to the selected To Zone. To any displays all the Security Policies for traffic coming from the selected From Zone. From any to any displays all of the Security Policies. To ZyWALL policies are for traffic that is destined for the Zyxel Device and control which computers can manage the Zyxel Device. |
IPv4 / IPv6 Source | This displays the IPv4 / IPv6 source address object, including geographic address and FQDN (group) objects, to which this Security Policy applies. |
IPv4 / IPv6 Destination | This displays the IPv4 / IPv6 destination address object, including geographic address and FQDN (group) objects, to which this Security Policy applies. |
Service | This displays the service object to which this Security Policy applies. |
User | This is the user name or user group name to which this Security Policy applies. |
Schedule | This field tells you the schedule object that the policy uses. none means the policy is active at all times if enabled. |
Action | This field displays whether the Security Policy silently discards packets without notification (deny), permits the passage of packets (allow) or drops packets with notification (reject) |
Log | Select whether to have the Zyxel Device generate a log (log), log and alert (log alert) or not (no) when the policy is matched to the criteria listed above. |
Profile | This field shows you which Security Service profiles (application patrol, content filter, IDP, anti-malware, email security) apply to this Security policy. Click an applied Security Service profile icon to edit the profile directly. |
OK | Click OK to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to exit this screen without saving. |
LABEL | Description |
|---|---|
Name | This is the name of the profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. These are valid, unique profile names: • MyProfile • mYProfile • Mymy12_3-4 These are invalid profile names: • 1mYProfile • My Profile • MyProfile? • Whatalongprofilename123456789012 |
Description | Enter additional information about this SSL Inspection entry. You can enter up to 60 characters ("0-9", "a-z", "A-Z", "-" and "_"). |
CA Certificate | This contains the default certificate and the certificates created in Object > Certificate > My Certificates. Choose the certificate for this profile. |
SSL/TLS version supported minimum | SSL / TLS connections using versions lower than this setting are blocked. |
Log | These are the log options for unsupported traffic that matches traffic bound to this policy: • no: Select this option to have the Zyxel Device create no log for unsupported traffic that matches traffic bound to this policy. • log: Select this option to have the Zyxel Device create a log for unsupported traffic that matches traffic bound to this policy • log alert: An alert is an emailed log for more serious events that may need more immediate attention. They also appear in red in the Monitor > Log screen. Select this option to have the Zyxel Device send an alert for unsupported traffic that matches traffic bound to this policy. |
Action for Connection with unsupported suit | SSL Inspection supports these cipher suites: • DES • 3DES • AES Select to pass or block unsupported traffic (such as other cipher suites, compressed traffic, client authentication requests, and so on) that matches traffic bound to this policy here. |
Log | These are the log options for unsupported traffic that matches traffic bound to this policy: • no: Select this option to have the Zyxel Device create no log for unsupported traffic that matches traffic bound to this policy. • log: Select this option to have the Zyxel Device create a log for unsupported traffic that matches traffic bound to this policy • log alert: An alert is an emailed log for more serious events that may need more immediate attention. They also appear in red in the Monitor > Log screen. Select this option to have the Zyxel Device send an alert for unsupported traffic that matches traffic bound to this policy. |
Action for connection with untrusted cert chain | A certificate chain is a certification process that involves the following certificates between the SSL/TLS server and a client. A certificate chain will fail if one of the following certificates is not correct. • A certificate owned by a user • The certificate signed by a certification authority • A root certificate Select to pass, inspect, or block an untrusted certification chain. |
Log | These are the log options for unsupported traffic that matches traffic bound to this policy: • no: Select this option to have the Zyxel Device create no log for unsupported traffic that matches traffic bound to this policy. • log: Select this option to have the Zyxel Device create a log for unsupported traffic that matches traffic bound to this policy • log alert: An alert is an emailed log for more serious events that may need more immediate attention. They also appear in red in the Monitor > Log screen. Select this option to have the Zyxel Device send an alert for unsupported traffic that matches traffic bound to this policy. |
OK | Click OK to save your settings to the Zyxel Device, and return to the profile summary page. |
Cancel | Click Cancel to return to the profile summary page without saving any changes. |
LABEL | Description |
|---|---|
General Settings | |
Enable Logs for Exclude List | Click this to create a log for traffic that bypasses SSL Inspection. |
Exclude List Settings | Use this part of the screen to create, edit, or delete items in the SSL Inspection exclusion list. |
Add | Click this to create a new entry. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
# | This is the entry’s index number in the list. |
Exclude List of Certificate Identity | SSL traffic to a server to be excluded from SSL Inspection is identified by its certificate. Identify the certificate in one of the following ways: • The Common Name (CN) of the certificate. The common name of the certificate can be created in the Object > Certificate > My Certificates screen. • Type an IPv4 or IPv6 address. For example, type 192.168.1.35, or 2001:7300:3500::1 • Type an IPv4/IPv6 in CIDR notation. For example, type 192.168.1.1/24, or 2001:7300:3500::1/64 • Type an IPv4/IPv6 address range. For example, type 192.168.1.1-192.168.1.35, or 2001:7300:3500::1-2001:7300:3500::35 • Type an email address. For example, type abc@zyxel.com.tw • Type a DNS name or a common name (wildcard char: '*', escape char: '\'). Use up to 127 case-insensitive characters (0-9a-zA-Z`~!@#$%^&*()-_=+[]{}\|;:',.<>/?). ‘*’ can be used as a wildcard to match any string. Use ‘\*’ to indicate a single wildcard character. Alternatively, to automatically add an entry for existing SSL traffic to a destination server, go to Monitor > Security Statistics > SSL Inspection > Certificate Cache List, select an item and then click Add to Exclude List. The item will then appear here. |
Apply | Click Apply to save your settings to the Zyxel Device. |
Reset | Click Reset to return to the profile summary page without saving any changes. |
LABEL | Description |
|---|---|
Certificate Information | |
Current Version | This displays the current certificate set version. |
Released Date | This field displays the date and time the current certificate set was released. |
Certificate Update | You should have Internet access and have activated SSL Inspection on the Zyxel Device at myZyxel. |
Update Now | Click this button to download the latest certificate set (Windows, MAC OS X, and Android) from the myZyxel and update it on the Zyxel Device. |
Auto Update | Select this to automatically have the Zyxel Device update the certificate set when a new one becomes available on myZyxel. |
Apply | Click Apply to save your settings to the Zyxel Device. |
Reset | Click Reset to return to the profile summary page without saving any changes. |