Use Certificates with HTTPS Proxy Content Inspection

Many web sites use both the HTTP and HTTPS protocols to send information to users. While HTTP traffic can be examined easily, HTTPS traffic is encrypted. To examine HTTPS traffic requested by a user on your network, you must configure your Firebox or XTM device to decrypt the information and then encrypt it with a certificate signed by a CA that each network client trusts.

For more detailed information about content inspection for the HTTPS Proxy, see HTTPS-Proxy: Content Inspection.

HTTPS Proxy Certificates

When your device scans an HTTPS connection, the HTTPS Proxy intercepts the HTTPS request, and initiates its own connection to the destination HTTPS server. The HTTPS Proxy on your device presents its own resigning certificate to the originating client and connects with the destination HTTPS server on the client's behalf. The resigning certificate can be either the Default Proxy Authority Certificate or an imported CA Certificate.

Default Proxy Authority Certificate

You can use the default self-signed Proxy Authority CA certificate on the Firebox or XTM device for use with the HTTPS Proxy content inspection features. Your device re-encrypts the content it has inspected with this Proxy Authority self-signed certificate. When you use this default certificate, end users without a copy of this certificate see a warning in their web browser when they connect to a secure web site with HTTPS. To avoid these warnings, you can export the Proxy Authority certificate from the XTM device and import the certificate on your client devices.

For information on how to export the default Proxy Authority CA certificate from your device, see Export a Certificate from Your Device.

For information on how to import this certificate on your client devices, see Import a Certificate on a Client Device.

CA Certificate

If your organization already has a PKI (Public Key Infrastructure) set up with a trusted CA, you can import a certificate that is signed by your organization's internal CA to your Firebox or XTM device. If the CA certificate is not automatically trusted, you must import each previous certificate in the chain of trust for this feature to operate correctly.

Public CA providers will not provide a CA certificate with permission to sign other certificates. As a result, if you attempt to use a certificate signed by a public third-party CA, your users receive a certificate warning in their browsers. We recommend that you use a certificate signed by your own internal CA.

For example, if your organization uses Microsoft Active Directory Certificate services, you can:

You must create a CA certificate that can re-sign other certificates. If you create a CSR with Firebox System Manager and have it signed by a prominent CA, it cannot be used as a CA certificate. If the remote web site uses an expired certificate, or if that certificate is signed by a CA (Certificate Authority) that your device does not recognize, the device re-signs the content as Fireware HTTPS Proxy: Unrecognized Certificate or simply Invalid Certificate.

Examine Content from External HTTPS Servers

Before you enable this feature, we recommend that you provide the certificate(s) used to sign HTTPS traffic to all of the clients on your network. You can attach the certificates to an email with instructions, or use network management software to install the certificates automatically. Also, we recommend that you test the HTTPS Proxy with a small number of users to make sure that it operates correctly before you apply the HTTPS Proxy to traffic on a large network.

For more detailed information on how to import certificates to clients, see Import a Certificate on a Client Device.

If you have other traffic that uses the HTTPS port, such as SSL VPN traffic, we recommend that you evaluate the content inspection feature carefully. The HTTPS-proxy attempts to examine all traffic on TCP port 443 in the same way. To make sure that other traffic sources operate correctly, we recommend that you add those IP addresses to the Bypass List.
For more information, see HTTPS-Proxy: Content Inspection.

First, edit an HTTPS proxy action to enable deep content inspection of HTTPS content.

From Fireware XTM Web UI:

  1. Select Firewall > Proxy Actions.

    The Proxy Actions page appears.
  2. Select an HTTPS proxy action: HTTPS-Client or HTTPS-Server. Click Edit.

    The Edit Proxy Action page appears for the proxy action you selected.
  3. Select the Content Inspection tab.
  4. Select the Enable deep inspection of HTTPS content check box.
  5. From the Proxy Action drop-down list, select the HTTP proxy action to use to inspect HTTPS content.

    For example, HTTP-Client.
  6. Specify the options for OCSP certificate validation.
  7. Click Save.

    If you edited a predefined proxy action, you must clone your changes to a new proxy action before you can save them and apply them to a proxy policy. The Clone Proxy Action dialog box appears.
  8. In the Name text box, type a new name for the proxy action.
  9. Click OK.

    The new proxy action appears in the Proxies list.

Next, add an HTTPS-proxy policy that uses the proxy action you added.

From Fireware XTM Web UI:

  1. Select Firewall > Firewall Policies.

    The Firewall Policies page appears.
  2. Click Add Policy.
    The Add Firewall Policy page appears.
  3. Select the Proxies policy type.
  4. From the Proxies drop-down list, select HTTPS-proxy and the proxy action you added.

    For example, select HTTPS-Client DCI.
  5. Click Add Policy.
    The Add page appears for the HTTPS-proxy.
  6. Click Save.

When you enable content inspection, the HTTP proxy action WebBlocker settings override the HTTPS proxy WebBlocker settings. If you add IP addresses to the Bypass List, traffic from those sites is filtered with the WebBlocker settings from the HTTPS proxy.

For more information on WebBlocker configuration, see About WebBlocker.

Protect a Private HTTPS Server

For a private HTTPS server on your network, certificate validation is not performed to provide a better end user experience. After the certificate validation is skipped, client browsers will see the Proxy Server certificate after content inspection is performed.

For additional security, we recommend you import the CA certificate used to sign the HTTPS server certificate, and then import the HTTPS server certificate with its associated private key. If the CA certificate used to sign the HTTPS server certificate is not automatically trusted itself, you must import each trusted certificate in sequence for this feature to operate correctly. After you have imported all of the certificates, configure the HTTPS Proxy.

First, edit an HTTPS proxy action to enable deep content inspection of HTTPS content.

From Fireware XTM Web UI:

  1. Select Firewall > Proxy Actions.
    The Proxy Actions page appears.
  2. Select an HTTPS proxy action: HTTPS-Client or HTTPS-Server. Click Edit.
    The Edit Proxy Action page appears for the proxy action you selected.
  3. Select the Content Inspection tab.
  4. Select the Enable deep inspection of HTTPS content check box.
  5. From the Proxy Action drop-down list, select the HTTP proxy action to use to inspect HTTPS content.
    For example, HTTP-Client.
  6. Clear the Use OCSP to confirm the validity of certificates check box.
  7. In the Bypass List text box, type the IP address of a web site for which you do not want to inspect traffic. Click Add.
  8. (Optional) Repeat Step 7 to add more IP addresses to the Bypass List.
  9. Click Save.
    If you edited a predefined proxy action, you must clone your changes to a new proxy action before you can save them and apply them to a proxy policy. The Clone Proxy Action dialog box appears.
  10. In the Name text box, type a new name for the proxy action.
    For example, type HTTPS-Client DCI.
  11. Click Save.
    The new proxy action appears in the Proxies list.

Next, add an HTTPS Proxy that uses the proxy action you added.

From Fireware XTM Web UI:

  1. Select Firewall > Firewall Policies.
    The Firewall Policies page appears.
  2. Click Add Policy.
    The Select a Policy Type page appears.
  3. Select the Proxies policy type.
  4. From the Proxies drop-down lists, select HTTPS-proxy and the proxy action you added.
    For example, select HTTPS-Client DCI.
  5. Click Add policy.
    The Firewall Policies / Add page appears for the HTTPS-proxy.
  6. Click Save.

For more information, see Manage XTM Device Certificates.

Troubleshoot Problems with HTTPS Content Inspection

Your device creates traffic log messages when there is a problem with a certificate used for HTTPS content inspection. We recommend that you check these log messages for more information.

If connections to remote web servers are often interrupted, make sure you have imported all of the certificates necessary to trust the CA certificate used to re-encrypt the HTTPS content, as well as the certificates necessary to trust the certificate from the original web server. You must import all of these certificates on your device and each client device for connections to be successful.

See Also

About Certificates

About the HTTPS-Proxy

Manage XTM Device Certificates

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base