Download the Certificate for TLS Decryption

Applies To: Cloud-managed Fireboxes

When you select Decrypt HTTPS Traffic in the Traffic Types settings of an Outbound firewall policy, you enable TLS decryption of outbound traffic. The Firebox decrypts HTTPS connections and scans the content with the enabled security services. The Firebox uses a self-signed certificate to re-encrypt traffic. To avoid certificate warnings, you must distribute the certificate from the Firebox to clients on your network.

The certificate is not available in WatchGuard Cloud until after the first time the Firebox connects.

Download the Certificate from WatchGuard Cloud

To download the certificate for TLS decryption from WatchGuard Cloud:

  1. Select Configure > Devices.
  2. Select a cloud-managed Firebox.
    Status and settings for the selected Firebox appear.
  3. Select Device Configuration.
    The Device Configuration page opens and shows the WatchGuard Cloud Security Services.
  4. Screen shot of WatchGuard Cloud Configure Security Services (cloud-managed)

  5. Click the TLS Decryption tile.
    The TLS Decryption page opens.

Screen shot of the TLS Decryption page

  1. To view the certificate details, click View Certificate.
  2. To download the certificate, click Download the certificate to distribute it to clients on your network.
  3. Distribute the certificate to clients on your network.
  4. To select a proxy authority certificate stored in WatchGuard Cloud, click Select Certificate.
    The Select Certificate page opens.

Screen shot of the Select Certificate page for TLS Decryption

  1. In the Proxy Authority Certificate drop-down list, select the certificate you want to use for TLS decryption.
  2. Click Save.

Download the Certificate from the Firebox Certificate Portal

Clients connected to a Firebox internal network can connect to the Firebox Certificate Portal to download the certificate.

To connect to the Certificate Portal and download the certificate, the client can open a web browser and go to http://<Firebox IP address>:4126/certportal.

Screenshot of the Certificate Portal page

To download and install the certificate:

  1. Open a web browser and go to http://<Firebox IP address>:4126/certportal.
  2. Click Download.
    The certificate downloads to your computer.
  3. After you download the file, double-click the file and follow the instructions to install the certificate. You must specify the Trusted Root Certification Authorities store as the location for the certificate during this process.

Import the Firebox Certificate to Network Clients

After you download the certificate, you can install it on your network clients. To distribute the certificate, you can import the certificate on each individual client device, or use group policies with Microsoft Active Directory to automatically install the certificate for all clients.

For more information, see Import a Certificate on a Client Device.

Related Topics

Configure Traffic Types in a Firewall Policy

Manage HTTPS Decryption Exceptions