HTTPS-Proxy: Content Inspection

You can enable and configure deep inspection of HTTPS content on the HTTPS Proxy Action Configuration Content Inspection tab.

Screen shot of the HTTPS proxy action Content Inspection settings

Enable deep inspection of HTTPS content

When this check box is selected, the Firebox or XTM device can decrypt HTTPS traffic, encrypt the traffic again with a new certificate, and examine the content. The content is examined by the HTTP-proxy policy that you choose on this page.

By default, the Proxy Authority CA certificate used by the HTTPS Proxy to encrypt the traffic is generated automatically by your device. When you use this certificate, your users receive a warning in their browsers because it is an untrusted self-signed certificate. To prevent these warnings, you can import this certificate on each client device.

You can also upload your own certificate to use for this purpose. If you choose to upload your own certificate, we recommend you use your own internal CA to sign the certificate. If your users are on your domain, and you use a certificate signed by your own internal CA, users can connect successfully without browser warnings.

For information about how to use certificates with content inspection, see Use Certificates with HTTPS Proxy Content Inspection.

For information about how to export a certificate from a Firebox or XTM device, see Export a Certificate from Your Device.

For information about how to import a certificate on a client device, see Import a Certificate on a Client Device.

If the original website or your web server has a self-signed or invalid certificate, or if the certificate was signed by a CA the Firebox or XTM device does not recognize (such as a public third-party CA), clients are presented with a browser certificate warning. Certificates that cannot be correctly re-signed appear to be issued by Fireware HTTPS-proxy: Unrecognized Certificate or simply Invalid Certificate.

Some third-party programs keep private copies of necessary certificates and do not use the operating system certificate store, or transmit other types of data over TCP port 443. These programs include:

If these programs do not have a method to import trusted CA certificates, they do not operate correctly when content inspection is enabled. Contact your software vendor for more information about certificate use or technical support, or add the IP addresses of computers that use this software to the Bypass List.

Allow SSLv3 and Allow SSLv2 (insecure)

SSLv3, SSLv2, and TLSv1 are protocols used for HTTPS connections. SSLv3 and SSLv2 are not as secure as TLSv1. By default, the HTTPS-proxy only allows connections that negotiate the TLSv1 protocol. If your users connect to client or server applications that only support SSLv2 or SSLv3, you can configure the HTTPS-proxy to use the SSLv2 or SSLv3 protocol for connections to these web sites.

To enable SSLv3 or SSLv2, select the Allow SSLv3 or Allow SSLv2 (insecure) check boxes. These options are disabled by default.

Proxy Action

Select an HTTP-proxy policy for your Firebox or XTM device to use when it inspects decrypted HTTPS content.

Use OCSP to confirm the validity of certificates

Select this check box to have your device automatically check for certificate revocations with OCSP (Online Certificate Status Protocol). When this feature is enabled, your device uses information in the certificate to contact an OCSP server that keeps a record of the certificate status. If the OCSP server responds that the certificate has been revoked, your device disables the certificate.

If you select this option, there can be a delay of several seconds while your device requests a response from the OCSP server. The Firebox or XTM device keeps between 300 and 3000 OCSP responses in a cache to improve performance for frequently visited websites. The number of responses stored in the cache is determined by your device model.

This option implements a loose OCSP policy. If the OCSP server cannot be contacted for any reason and does not send a response, the Firebox or XTM device will not disable the certificate or break the certificate chain.

If a certificate cannot be validated, the certificate is invalid

When this option is selected, it enforces a strict OCSP policy. If an OCSP responder does not send a response to a revocation status request, your device considers the original certificate as invalid or revoked. This option can cause certificates to be considered invalid if there is a routing error or a problem with your network connection.

See Also

About Proxy Policies and ALGs

About the HTTPS-Proxy

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base