Set Up & Administer Your Firebox > Certificates > Use Certificates for the HTTPS-Proxy

Use Certificates with HTTPS Proxy Content Inspection

Many websites use both the HTTP and HTTPS protocols to send information to users. While HTTP traffic can be examined easily, HTTPS traffic is encrypted. To examine HTTPS traffic requested by a user on your network, you must configure your Firebox to decrypt the information and then encrypt it with a certificate signed by a CA that each network client trusts.

For more detailed information about content inspection for the HTTPS Proxy, see HTTPS-Proxy: Content Inspection.

HTTPS Proxy Certificates

When your device scans an HTTPS connection, the HTTPS Proxy intercepts the HTTPS request, and initiates its own connection to the destination HTTPS server. The HTTPS Proxy on your device presents its own resigning certificate to the originating client and connects with the destination HTTPS server on the client's behalf. The resigning certificate can be either the Default Proxy Authority Certificate or an imported CA Certificate.

Default Proxy Authority Certificate

You can use the default self-signed Proxy Authority CA certificate on the Firebox for use with the HTTPS Proxy content inspection features. Your device re-encrypts the content it has inspected with this Proxy Authority self-signed certificate. When you use this default certificate, end users without a copy of this certificate see a warning in their web browser when they connect to a secure website with HTTPS. To avoid these warnings, you can export the Proxy Authority certificate from the Firebox and import the certificate on your client devices.

For information on how to export the default Proxy Authority CA certificate from your device, see Export a Certificate from Your Firebox.

For information on how to import this certificate on your client devices, see Import a Certificate on a Client Device.

A client can also download and install the Proxy Authority certificate from the Certificate Portal on the Firebox at http://<Firebox IP address>:4126/certportal. For more information, see Certificate Portal.

CA Certificate

If your organization already has a PKI (Public Key Infrastructure) set up with a trusted CA, you can import a certificate that is signed by your organization's internal CA to your Firebox. If the CA certificate is not automatically trusted, you must import each previous certificate in the chain of trust for this feature to operate correctly.

Public CA providers will not provide a CA certificate with permission to sign other certificates. As a result, if you attempt to use a certificate signed by a public third-party CA, your users receive a certificate warning in their browsers. We recommend that you use a certificate signed by your own internal CA.

For example, if your organization uses Microsoft Active Directory Certificate services, you can:

You must create a CA certificate that can re-sign other certificates. If you create a CSR with Firebox System Manager and have it signed by a prominent CA, it cannot be used as a CA certificate. If the remote website uses an expired certificate, or if that certificate is signed by a CA (Certificate Authority) that your device does not recognize, the device re-signs the content as Fireware HTTPS Proxy: Unrecognized Certificate or simply Invalid Certificate.

Examine Content from External HTTPS Servers

Before you enable this feature, we recommend that you provide the certificate(s) used to sign HTTPS traffic to all of the clients on your network. You can attach the certificates to an email with instructions, or use network management software to install the certificates automatically. Also, we recommend that you test the HTTPS Proxy with a small number of users to make sure that it operates correctly before you apply the HTTPS Proxy to traffic on a large network.

For more detailed information on how to import certificates to clients, see Import a Certificate on a Client Device.

If you have other traffic that uses the HTTPS port, such as SSL VPN traffic, we recommend that you evaluate the content inspection feature carefully. The HTTPS-proxy attempts to examine all traffic on TCP port 443 in the same way. To make sure that other traffic sources operate correctly, we recommend that you add those IP addresses to the Bypass List.
For more information, see HTTPS-Proxy: Content Inspection.

To examine content from external HTTPS servers, from Policy Manager:

  1. Click the Add Policy icon.
    Or, select Edit > Add Policy.
    The Add Policies dialog box appears.
  2. Expand the Proxies category and select the HTTPS-proxy entry. Click Add.
    The New Policy Properties dialog box appears, with the Policy tab selected.
  3. Adjacent to the Proxy action drop-down list, click View/Edit Proxy button.
    The HTTPS Proxy Action Configuration dialog box appears, with the Content Inspection category selected.
  4. Select the Enable deep inspection of HTTPS content check box.
  5. From the Proxy Action drop-down list, select the HTTP proxy action to use to inspect HTTPS content, or create a new HTTP proxy action to use for this policy.
  6. Select the options for OCSP certificate validation.
  7. In the Bypass Listtext box, type the IP address of a website for which you do not want to inspect traffic. Click Add.
  8. (Optional) Repeat Step 7 to add more IP addresses to the Bypass List
  9. Click OK to close the HTTPS Proxy Action Configuration dialog box.
    The Clone Predefined or DVCP-created Object dialog box appears.
  10. In the Name text box, type a name for the proxy action.
    For example, type HTTPS-Client DCI.
  11. Click OK.
  12. Click OK to close the New Policy Properties dialog box.
  13. In the Add Policy dialog box, click Close.

To examine content from external HTTPS servers, from Fireware Web UI, edit an HTTPS proxy action to enable deep content inspection of HTTPS content:

  1. Select Firewall > Proxy Actions.
    The Proxy Actions page appears.
  2. Select an HTTPS proxy action: HTTPS-Client or HTTPS-Server. Click Edit.
    The Edit Proxy Action page appears for the proxy action you selected.
  3. Select the Content Inspection tab.
  4. Select the Enable deep inspection of HTTPS content check box.
  5. From the Proxy Action drop-down list, select the HTTP proxy action to use to inspect HTTPS content.
    For example, HTTP-Client.
  6. Specify the options for OCSP certificate validation.
  7. Click Save.
    If you edited a predefined proxy action, you must clone your changes to a new proxy action before you can save them and apply them to a proxy policy. The Clone Proxy Action dialog box appears.
  8. In the Name text box, type a new name for the proxy action.
  9. Click OK.
    The new proxy action appears in the Proxies list.

Next, add an HTTPS-proxy policy that uses the proxy action you added.

  1. Select Firewall > Firewall Policies.
    The Firewall Policies page appears.
  2. Click Add Policy.
    The Add Firewall Policy page appears.
  3. Select the Proxies policy type.
  4. From the Proxies drop-down list, select HTTPS-proxy and the proxy action you added.
    For example, select HTTPS-Client DCI.
  5. Click Add Policy.
    The Add page appears for the HTTPS-proxy.
  6. Click Save.

When you enable content inspection, the HTTP proxy action WebBlocker settings override the HTTPS proxy WebBlocker settings. If you add IP addresses to the Bypass List, traffic from those sites is filtered with the WebBlocker settings from the HTTPS proxy.

For more information on WebBlocker configuration, see About WebBlocker.

Protect a Private HTTPS Server

For a private HTTPS server on your network, certificate validation is not performed to provide a better end user experience. After the certificate validation is skipped, client browsers will see the Proxy Server certificate after content inspection is performed.

For additional security, we recommend you import the CA certificate used to sign the HTTPS server certificate, and then import the HTTPS server certificate with its associated private key. If the CA certificate used to sign the HTTPS server certificate is not automatically trusted itself, you must import each trusted certificate in sequence for this feature to operate correctly. After you have imported all of the certificates, configure the HTTPS Proxy.

To protect a private HTTPS server, from Policy Manager:

  1. Click the Add Policy icon.
    Or, select Edit > Add Policy.
    The Add Policies dialog box appears.
  2. Expand the Proxies list and select HTTPS-proxy. Click Add.
    The New Policy Properties dialog box appears with the Policy tab selected.
  3. Adjacent to the Proxy action drop-down list, click View/Edit Proxy button.
    The HTTPS Proxy Action Configuration dialog box appears, with the Content Inspection category selected.
  4. Select the Enable deep inspection of HTTPS content check box.
  5. From the Proxy Action drop-down list, select the HTTP proxy action to use to inspect HTTPS content, or create a new HTTP proxy action to use for this policy.
  6. Clear the Use OCSP to confirm the validity of certificates check box.
  7. In the Bypass List text box, type the IP address of a website for which you do not want to inspect traffic. Click Add.
  8. (Optional) Repeat Step 7 to add more IP addresses to the Bypass List
  9. Click OK to close the HTTPS Proxy Action Configuration dialog box.
    The Clone Predefined or DVCP-created Object dialog box appears.
  10. In the Name text box, type a name for the proxy action.
    For example, type HTTPS-Client DCI.
  11. Click OK.
  12. Click OK to close the New Policy Properties dialog box.
  13. In the Add Policy dialog box, click Close.

To protect a private HTTPS server, from Fireware Web UI, edit an HTTPS proxy action to enable deep content inspection of HTTPS content:

  1. Select Firewall > Proxy Actions.
    The Proxy Actions page appears.
  2. Select an HTTPS proxy action: HTTPS-Client or HTTPS-Server. Click Edit.
    The Edit Proxy Action page appears for the proxy action you selected.
  3. Select the Content Inspection tab.
  4. Select the Enable deep inspection of HTTPS content check box.
  5. From the Proxy Action drop-down list, select the HTTP proxy action to use to inspect HTTPS content.
    For example, HTTP-Client.
  6. Clear the Use OCSP to confirm the validity of certificates check box.
  7. In the Bypass List text box, type the IP address of a website for which you do not want to inspect traffic. Click Add.
  8. (Optional) Repeat Step 7 to add more IP addresses to the Bypass List.
  9. Click Save.
    If you edited a predefined proxy action, you must clone your changes to a new proxy action before you can save them and apply them to a proxy policy. The Clone Proxy Action dialog box appears.
  10. In the Name text box, type a new name for the proxy action.
    For example, type HTTPS-Client DCI.
  11. Click Save.
    The new proxy action appears in the Proxies list.

Next, add an HTTPS Proxy that uses the proxy action you added:

  1. Select Firewall > Firewall Policies.
    The Firewall Policies page appears.
  2. Click Add Policy.
    The Select a Policy Type page appears.
  3. Select the Proxies policy type.
  4. From the Proxies drop-down lists, select HTTPS-proxy and the proxy action you added.
    For example, select HTTPS-Client DCI.
  5. Click Add policy.
    The Firewall Policies / Add page appears for the HTTPS-proxy.
  6. Click Save.

For more information, see Manage Device Certificates (Web UI).

Troubleshoot Problems with HTTPS Content Inspection

Your device creates traffic log messages when there is a problem with a certificate used for HTTPS content inspection. We recommend that you check these log messages for more information.

If connections to remote web servers are often interrupted, make sure you have imported all of the certificates necessary to trust the CA certificate used to re-encrypt the HTTPS content, as well as the certificates necessary to trust the certificate from the original web server. You must import all of these certificates on your device and each client device for connections to be successful.

See Also

About Certificates

About the HTTPS-Proxy

Manage Device Certificates (WSM)

Manage Device Certificates (Web UI)

Give Us Feedback     Get Support     All Product Documentation     Technical Search