Configure TLS Profiles

Transport Layer Security (TLS) profiles define a set of security settings that can be used for content inspection by proxy actions that support TLS. For more information about TLS, go to About Transport Layer Security (TLS).

Policies that support TLS profiles are:

IMAP-proxy (supported in Fireware v12.1 or higher)
HTTPS-proxy (supported in Fireware v12.1.1 or higher)
POP3-proxy (supported in Fireware v12.2 or higher)
SMTP-proxy (supported in Fireware v12.2 or higher)

In the TLS Profiles configuration, you can configure TLS profile settings, and assign TLS profiles to proxy actions.

TLS Profile Settings

In a TLS profile you can configure these settings:

Minimum Protocol Version

The TLS proxies support four TLS encryption protocol versions for secure connections. From least secure to most secure these are: TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3. The TLS profile allows connections that negotiate at least the Minimum Protocol Version specified. The options available for Minimum Protocol Version are TLSv1.0, TLSv1.1, and TLSv1.2. The predefined TLS profiles specify a Minimum Protocol Version of TLS v1.0. To meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS), set the Minimum Protocol Version to TLS v1.1.

The SSLv3 protocol is not secure, and it is not supported in Fireware 12.4 and higher.

In Fireware 12.3.1 and lower, you can select SSLv3 as the Minimum Protocol Version. We recommend you do not allow SSLv3 unless it is required for backward compatibility with legacy systems on internal networks.
In Fireware 12.4 and higher, you cannot select SSLv3 as the Minimum Protocol Version. When a client specifies SSLv3 protocol, proxies deny the connection immediately and do not allow negotiation to a different protocol.

In Fireware v12.1.x, this setting is called Allow SSLv3 and is disabled by default. With Allow SSLv3 disabled, the TLS profile allows only connections that negotiate the TLS v1.0 protocol or higher.

Allow only TLS-compliant traffic

When this option is enabled, the TLS profile allows only traffic that is compliant with the TLS 1.0, TLS 1.1, TLS 1.2, or TLS 1.3 protocols (if the protocol is not lower than the Minimum Protocol Version). Only TLS protocol messages that adhere to TLS standards are considered secure and can be interpreted by the proxy. When a proxy action uses a TLS profile that allows only TLS-compliant traffic, the TLS-compliant traffic establishes a secure tunnel. If tunneled traffic does not use a valid TLS protocol, the proxy action used for inspection prompts the Firebox to send a log message about the errors and drop the traffic.

If you enable this option, it primarily enforces HTTPS traffic. As web browsers typically use HTTPS, many client applications could fail to connect to the cloud.

When this option is disabled, the TLS profile allows traffic that is not compliant with the TLS protocols through the proxy without further processing.

Use OCSP to validate certificates

This option enables your Firebox to automatically check for certificate revocations with OCSP (Online Certificate Status Protocol). When this feature is enabled, your Firebox uses information in the certificate to contact an OCSP server that has a record of the certificate status. If the OCSP server responds that the certificate has been revoked, your Firebox disables the certificate. This option applies only to client proxy actions. Server proxy actions do not validate certificates.

If you enable this option, there can be a delay of several seconds while your Firebox requests a response from the OCSP server. The Firebox retains between 300 and 3000 OCSP responses in a cache to improve performance for frequently visited sites. The number of responses stored in the cache is determined by your Firebox model.

If a certificate cannot be validated, the certificate is considered invalid

This option applies only when OCSP validation is enabled, and controls whether OCSP validation is Lenient or Strict.

When this option is disabled, the Firebox enforces a Lenient OCSP policy. If the OCSP server cannot be contacted for any reason and does not send a response, the Firebox does not disable the certificate or break the certificate chain. Only revoked certificates are considered invalid.
When this option is enabled, the Firebox enforces a Strict OCSP policy. If an OCSP responder does not send a response to a revocation status request, your Firebox considers the original certificate as invalid or revoked. This option can cause certificates to be considered invalid if there is a routing error or a problem with your network connection. Only certificates with a good response indicator are considered valid.

Enable AIA fetching (HTTPS proxy only) (Fireware v12.10 and higher)

This option enables Authority Information Access (AIA) fetching certificate validation for HTTPS-Client proxy actions. AIA is an extension in SSL certificates that helps fetch intermediate certificates from the certificate issuer, which creates a more secure browsing experience and avoids certificate errors.

AIA fetching is enabled by default in all existing and new TLS profiles in Fireware v12.10 and higher.

Only HTTPS-Client proxy actions use AIA fetching.

Perfect Forward Secrecy Ciphers

TLS actions support PFS-capable ciphers for TLS connections. Fireware supports only Elliptic Curve Ephemeral Diffie-Hellman (ECDHE) ciphers for PFS.

To control whether the Firebox uses PFS-capable ciphers, choose one of these options:

None — The Firebox does not advertise or select PFS-capable ciphers.
Allowed — The Firebox advertises and selects both PFS-capable and non-PFS-capable ciphers.
Required — The Firebox advertises and selects only PFS-capable ciphers.

The setting you select applies to both client and server side TLS connections. When this option is set to Allowed, the client does not use a PFS-cipher unless the server also uses one.

TLS 1.3 connections always use PFS-capable ciphers. When this option is set to None, connections cannot use TLS 1.3 for proxy content inspection negotiation. TLS v1.2 and below can be negotiated based on client/server support and the Minimum Protocol Version in the TLS profile.

To make sure that your users can connect over HTTPS to websites that require TLS v1.3, we recommend that you do not set this option to None in your TLS Profiles.

Perfect Forward Secrecy Ciphers require significant resources and can impact system performance on Firebox T10, T15, T30, T35, and T50 devices. In Fireware 12.1.2 and lower, you cannot enable PFS ciphers for these models.

The cipher name used for client/server TLS sessions appears in the content inspection traffic log messages generated by the Firebox. For more information about log messages, go to Types of Log Messages.

Predefined TLS Profiles

There are four predefined TLS profiles. This table summarizes the differences in the settings for each predefined TLS profile, and the proxy actions that can use each profile.

TLS Profile	OCSP	TLS Compliance	Used By Proxy Actions
TLS-Client.Standard	Disabled	Not enforced	IMAP-Client.Standard POP3-Client.Standard SMTP-Outgoing.Standard
TLS-Server.Standard	N/A	Enforced	IMAP-Server.Standard POP3-Server.Standard SMTP-Incoming.Standard
TLS-Client-HTTPS.Standard	Lenient	Not enforced	HTTPS-Client.Standard
TLS-Server-HTTPS.Standard	N/A	Not enforced	HTTPS-Server.Standard

Manage TLS Profiles

From the TLS Profiles page you can clone and edit TLS profiles. You can also select which TLS profile is used for each proxy action.

Clone or Edit a TLS Profile

You cannot edit predefined TLS profiles. To add a new TLS profile you must clone an existing profile.

You can also clone or edit the TLS profile when you configure content inspection or TLS settings in the proxy action.

Configure TLS Profiles for Proxy Policies

By default, the proxy actions that support TLS profiles use predefined TLS profiles. To change the TLS profile used by a proxy action, you can edit the proxy action, or you can change the TLS profile assigned from the Policies list in the TLS Profiles configuration.

For proxy actions that support both implicit and explicit TLS, you can select separate TLS profiles to use for implicit TLS and explicit TLS (also known as STARTTLS). For more information about implicit and explicit TLS, see About Transport Layer Security (TLS).

You cannot change the TLS profile assigned to a predefined proxy action. You must first clone a proxy action. For more information, go to About Proxy Actions.

Enable Content Inspection in the Proxy Action

For a proxy action to use the assigned TLS profile for content inspection, you must select the Inspect action in the proxy action settings.

For information about how to select the TLS profile and configure content inspection in proxy actions, go to: