Use Certificates with HTTPS Proxy Content Inspection

Many websites use both the HTTP and HTTPS protocols to send information to users. While HTTP traffic can be examined easily, HTTPS traffic is encrypted. To examine HTTPS traffic requested by a user on your network, you must configure your Firebox to decrypt the information and then encrypt it with a certificate signed by a CA that each network client trusts.

For more detailed information about content inspection for the HTTPS Proxy, see HTTPS-Proxy: Content Inspection.

HTTPS Proxy Certificates

When your Firebox scans an HTTPS connection, the HTTPS Proxy intercepts the HTTPS request and initiates its own connection to the destination HTTPS server on the client's behalf. After the Firebox receives a reply and a copy of the remote server certificate from the destination HTTPS server, the Firebox presents its own resigning certificate to the originating client. The CN, SAN, and other values are maintained for identity validation. The resigning certificate can be either the Default Proxy Authority Certificate or an imported CA Certificate.

Default Proxy Authority Certificate

You can use the default self-signed Proxy Authority CA certificate on the Firebox for use with the HTTPS Proxy content inspection features. Your device re-encrypts the content it has inspected with this Proxy Authority self-signed certificate. When you use this default certificate, end users without a copy of this certificate see a warning in their web browser when they connect to a secure website with HTTPS. To avoid these warnings, you can export the Proxy Authority certificate from the Firebox and import the certificate on your client devices.

For information on how to export the default Proxy Authority CA certificate from your device, see Export a Certificate from Your Firebox.

For information on how to import this certificate on your client devices, see Import a Certificate on a Client Device.

A client can also download and install the root CA certificate that signed the Proxy Authority certificate from the Certificate Portal on the Firebox at http://<Firebox IP address>:4126/certportal. For more information, see Certificate Portal.

CA Certificate

If your organization already has a PKI (Public Key Infrastructure) set up with a trusted CA, you can import a certificate that is signed by your organization's internal CA to your Firebox. If the CA certificate is not automatically trusted, you must import each previous certificate in the chain of trust for this feature to operate correctly.

Public CA providers will not provide a CA certificate with permission to sign other certificates. We recommend that you use a certificate signed by your own internal CA.

For example, if your organization uses Microsoft Active Directory Certificate services, you can:

You must create a CA certificate that can re-sign other certificates. If you create a CSR with Firebox System Manager and have it signed by a prominent CA (Certificate Authority), it cannot be used as a CA certificate. If the remote website uses an expired certificate, or if that certificate is signed by a CA that your device does not recognize, the device re-signs the content as Fireware HTTPS Proxy: Unrecognized Certificate or simply Invalid Certificate.

Examine Content from External HTTPS Servers

Before you enable this feature, we recommend that you provide the certificate(s) used to sign HTTPS traffic to all of the clients on your network. You can attach the certificates to an email with instructions, or use network management software to install the certificates automatically. Also, we recommend that you test the HTTPS Proxy with a small number of users to make sure that it operates correctly before you apply the HTTPS Proxy to traffic on a large network.

For more detailed information on how to import certificates to clients, see Import a Certificate on a Client Device.

If you have other traffic that uses the HTTPS port, such as SSL VPN traffic, we recommend that you evaluate the content inspection feature carefully. To make sure that other traffic sources operate correctly, we recommend that you add domain name rules with the Allow action to bypass inspection for those IP addresses. For more information, see HTTPS-Proxy: Domain Name Rules.

In Fireware v12.1 or lower, you must enable content inspection in the HTTPS proxy before you can select the Inspect action. For more information, see HTTPS-Proxy: Content Inspection.

When you select the Inspect action in the HTTPS proxy action, you select an HTTP proxy action to use for inspection. You can select the Inspect action in domain name rules and you can enable inspection of allowed WebBlocker categories in the HTTPS proxy action.

For more information about Domain Name Rules in the HTTPS proxy, see HTTPS-Proxy: Domain Name Rules.

For more information about WebBlocker configuration in the HTTPS proxy, see HTTPS-Proxy: WebBlocker.

Protect a Private HTTPS Server

To provide a better end-user experience, the HTTPS proxy does not do certificate validation for inbound requests to a private HTTPS server on your network. Client browsers see the configured Proxy Server certificate after content inspection is performed.

For additional security, we recommend that you import the CA certificate used to sign the HTTPS server certificate, and then import the HTTPS server certificate with its associated private key. If the CA certificate used to sign the HTTPS server certificate is not automatically trusted itself, you must import each trusted certificate in sequence for this feature to operate correctly. After you have imported all of the certificates, configure the HTTPS Proxy.

In Fireware v12.2 and higher, when you configure Domain Name rules for content inspection in the inbound HTTPS Proxy, you can choose the proxy server certificate to use for that domain or use the default Proxy Server certificate. This enables you to host several different public-facing web servers and applications behind one Firebox and allow different applications to use different certificates for inbound HTTPS traffic.

Troubleshoot Problems with HTTPS Content Inspection

Your device creates traffic log messages when there is a problem with a certificate used for HTTPS content inspection. We recommend that you check these log messages for more information.

If connections to remote web servers are often interrupted, make sure you have :

  • Imported all the certificates necessary to trust the CA certificate used to re-encrypt the HTTPS content
  • Imported the certificates necessary to trust the certificate from the original web server

You must import all these certificates on your device and each client device for connections to be successful.

See Also

About Certificates

About the HTTPS-Proxy

Manage Device Certificates (WSM)

Manage Device Certificates (Web UI)

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search