HTTPS-Proxy: Content Inspection
In the HTTPS proxy action configuration, you can enable content inspection. The HTTPS proxy inspects content only for the domain names and WebBlocker categories you configure for inspection in the Domain Names and WebBlocker proxy action settings.
HTTPS proxy action content inspection configuration in Fireware Web UI
HTTPS proxy action content inspection configuration in Policy Manager
Enable Content Inspection
When you select the Enable Content Inspection check box, the Firebox can decrypt HTTPS traffic, examine the content, then encrypt the traffic again with a new certificate. The HTTPS proxy uses the HTTP proxy action you specify to examine the content. After you enable content inspection, select the domains and WebBlocker categories for the proxy to inspect.
To specify which domains and WebBlocker categories this HTTPS proxy action inspects:
- On the Domain Names tab, in the Domain Names list, add a domain with the Inspect action.
For more information, see HTTPS-Proxy: Domain Names.
- On the WebBlocker tab, in the WebBlocker categories list, select the WebBlocker content categories to inspect, or select the Inspect when a URL is uncategorized check box.
For more information, see HTTPS-Proxy: WebBlocker.
In Fireware OS v11.9.3 and lower, the HTTPS proxy completes content inspection for all sites unless you add the IP address of a site to the Bypass List in the Content Inspection settings.
By default, the Proxy Authority CA certificate used by the HTTPS proxy to encrypt the traffic is generated automatically by your Firebox. When you use this certificate, your users receive a warning in their browsers because it is an untrusted self-signed certificate. To prevent these warnings, you can import this certificate on each client device.
You can also upload your own certificate to use for this purpose. If you choose to upload your own certificate, we recommend you use your own internal CA to sign the certificate. If your users are on your domain, and you use a certificate signed by your own internal CA, users can connect successfully without browser warnings.
A client can download and install the Proxy Authority certificate from the Certificate Portal on the Firebox at http://<Firebox IP address>:4126/certportal. For more information, see Certificate Portal.
When you enable content inspection, automatic trusted CA certificate updates on the Firebox are enabled, if they were not already enabled.
For information about how to use certificates with content inspection, see Use Certificates with HTTPS Proxy Content Inspection.
For information about how to export a certificate from a Firebox, see Export a Certificate from Your Firebox.
For information about how to import a certificate on a client device, see Import a Certificate on a Client Device.
If the original website or your web server has a self-signed or invalid certificate, or if the certificate was signed by a CA the Firebox does not recognize (such as a public, third-party CA), clients see a certificate warning in their web browsers. Certificates that cannot be correctly re-signed appear to be issued by Fireware HTTPS-proxy: Unrecognized Certificate or Invalid Certificate.
Some third-party programs keep private copies of necessary certificates and do not use the operating system certificate store, or transmit other types of data over TCP port 443. These programs include:
- Communications software (for example, AOL Instant Messenger and Google Voice)
- Remote desktop and presentation software(for example, LiveMeeting and WebEx)
- Financial and business software (for example, iVantage, FedEx, and UPS)
If these programs do not have a method to import trusted CA certificates, they do not operate correctly when Content Inspection is enabled. For more information about certificate use or technical support, contact your software vendor, or add the IP addresses of computers with this software to the Bypass List.
TLSv1 and SSLv3 are protocols used for HTTPS connections. SSLv3 is not as secure as TLSv1. By default, the HTTPS proxy only allows connections that negotiate the TLSv1 protocol. If your users connect to client or server applications that only support SSLv3, you can configure the HTTPS proxy to use SSLv3 for connections to these websites.
To enable SSLv3, select the Allow SSLv3 check box. This option is disabled by default.
Select an HTTP proxy action for your Firebox to use when it inspects decrypted HTTPS content.
Use OCSP to confirm the validity of certificates
Select this check box to enable your Firebox to automatically check for certificate revocations with OCSP (Online Certificate Status Protocol). When this feature is enabled, your Firebox uses information in the certificate to contact an OCSP server that keeps a record of the certificate status. If the OCSP server responds that the certificate has been revoked, your Firebox disables the certificate.
If you select this option, there can be a delay of several seconds while your Firebox requests a response from the OCSP server. The Firebox keeps between 300 and 3000 OCSP responses in a cache to improve performance for frequently visited websites. The number of responses stored in the cache is determined by your Firebox model.
This option implements a loose OCSP policy. If the OCSP server cannot be contacted for any reason and does not send a response, the Firebox will not disable the certificate or break the certificate chain.
If a certificate cannot be validated, the certificate is invalid
When this option is selected, the Firebox enforces a strict OCSP policy. If an OCSP responder does not send a response to a revocation status request, your Firebox considers the original certificate as invalid or revoked. This option can cause certificates to be considered invalid if there is a routing error or a problem with your network connection.
Perfect Forward Secrecy Ciphers (Fireware OS v11.11.4 and higher)
In Fireware OS v11.11.4 and higher, the HTTPS Proxy supports PFS-capable ciphers for TLS connections. Fireware supports only Elliptic Curve Ephemeral Diffie-Hellman (ECDHE) ciphers for PFS.
To control whether the Firebox uses PFS-capable ciphers, choose one of these options:
- None — The Firebox does not advertise or select PFS-capable ciphers.
- Allowed — The Firebox advertises and selects both PFS-capable and non-PFS-capable ciphers.
- Required— The Firebox advertises and selects only PFS-capable ciphers.
The setting you select applies to both client and server side TLS connections. When this option is set to Allowed, the client does not use a PFS-cipher unless the server also uses one.
Perfect Forward Secrecy Ciphers require significant resources and can impact system performance on Firebox T10, T30, T50, XTM 25, XTM 26, and XTM 33 devices. In Fireware v11.12.1, you cannot enable PFS ciphers for these models.
The cipher name used for client/server TLS sessions appears in the HTTPS content inspection traffic log messages generated by the Firebox. For more information about log messages, see Types of Log Messages.
Google Apps Allowed Domains (Fireware OS v11.11 and higher)
In Fireware OS v11.11 and higher, You can use the HTTPS proxy (with content inspection enabled) to block user access to personal Google services. For more information, see Restrict Google Apps to Allowed Domains.
Bypass List (Fireware OS v11.9.3 and lower)
In Fireware OS v11.9.3 and lower, the Firebox does not inspect content sent to or from IP addresses in this list. To add a website or host name, type the IP address in the text box and click Add.
In Fireware OS v11.9.4 and higher, you must configure Domain Names rules with the Allow action to bypass Content Inspection. For more information, see HTTPS-Proxy: Domain Names.
To quickly find the IP address for a website or host name:
- Click DNS Lookup.
- Type the domain name or host name and click Lookup.
If the domain name or host name is valid, the valid IP addresses appear.
- Select the check box for each IP address to add.
- Click OK.