Skip to main content
Versa Networks

Configure Security

  1. Last updated
  2. Save as PDF

This article describes how you can configure firewall policies, secure traffic flow based on URL, set antivirus strength, tune the intrusion prevention system (IPS), and TLS decryption from the Security tab. You can customize security settings before or after you activate the license. TLS decryption is supported only when you enable advanced security settings. That is, you must enable firewall, security profile, antivirus, and intrusion prevention system to configure TLS decryption.

Configure Security Settings

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the instance in the honeycomb and click Configure to open the site information window.
  3. Click Next to open the Configuration > Network screen.
  4. Click the Security tab.

    security-firewall-home.png
     
  5. Click Security Policy to open the Security settings screen.

    security-policy-home.png

You customize the following settings on the Configure > Security screen:

  • Firewall Policies—Set firewall rules
  • Security Profile Definition—Categorize URLs, configure reputation, antivirus, and intrusion prevention

Manage Firewall Policies

The Versa portal is preconfigured with default firewall rules. You cannot modify the default rules, but you can add new rules. When you create a rule for port-forwarding and IPsec route-based profiles, by default, Versa Portal creates a security rule that allows NAT and IPsec traffic, and the rule is displayed in the security rule list. For port forwarding, the security rule has a name in the format port_forwarding_rule_name_frd, and for an IPsec profile, the rule name is the same as the IPsec route-based profile name. You cannot edit or delete a system-generated default rule for port forwarding or for an IPsec profile. However, you can disable or reorder a default rule to change its priority.

To configure firewall settings:

  1. In the Firewall Policies section, click Firewall Rules to open the Configuration > Security > Firewall Rules screen.

    security-firewall-rules.png

    Each rule displays a numbered circle indicating its position in the rule set. The circle color indicates whether a rule denies (red) or allows (green) traffic, or whether it applies one of the profiles listed in the Security Profile Definition section (purple). By default, the rules are displayed in grid view. To change the view to list, click the list view icon. To pin the view to grid or list for the login session, use the pin icon.
  2. If needed, click Reorder Rules to enter rule reorder mode.
    1. To change a rule order, click the colored circle and drag the rule to a different spot in the rule set. The rule numbers are updated automatically.
    2. Click Publish Reordered Rules to save the changes to the Versa cloud.
  3. If needed, click + Rule to add a firewall rule.

    security-firewall-rules-add.png
     
  4. Enter information for the following fields.
     
    Field Description
    Rule Name Enter a name for the rule, and then slide the toggle to enable the rule.
    Description Enter a text description for the rule. It can be a maximum of 63 characters.
    Match Criteria Select the Protocol, Address, Application, URL, or DSCP tab to add information about that criteria type. For more information, see Apply Match Criteria for Firewall Rules, below.
    Scope (Group of Fields)  
    • Source Zone
    		 Click the down arrow in the Please Select field. A popup window displays the configured interfaces and tunnels. Choose a source zone, and then click Continue. To create a tunnel, see Configure IPsec VPN Settings (Tunnels).
    security-firewall-rules-source-zone.png
    • Arrow

    Choose the type of connection:

    • Portal_one_way_arrow.png One-way
    • Portal_two_way_arrow.png Two-way
    • Destination Zone
    		 Click the down arrow in the Please Select field. A popup window displays the configured interfaces and tunnels. Choose a destination zone, and then click Continue. To create a tunnel, see Configure IPsec VPN Settings (Tunnels).
    security-firewall-rules-destination-zone.png
    Action

    Choose the Deny, Allow, or Apply Security Profile action. When you click Apply Security Profile, a popup window displays.
    security-firewall-rules-action.png

    Choose a level of security for each of the following:

    • URLs
    • Antivirus
    • IPS
    • IP Filter
    • File Filter

    The security level can be Low, Standard, or Advanced. For IP filter and file filter, IP filter and file filter profiles.
    Logging

    Configure log settings:

    • None—Click to perform no logging.
    • Custom—Click to configure logging to a customer log server. Based on the rule match, the instance may sent a large number of log messages.

      security-firewall-rules-logging.png

      • Please Select—If you select Custom, click the down arrow to select a log profile.

      • Event—Select an option to log the data.

        • Start—Log data at the start of each session.

        • End—Log data at the end of each session.

        • Both—Log data at the start and end of each session.

        • Never—Never log data.

    To create a new custom flow logs profile, clickicon-log-server.png. For more information, see Add Custom Logs Profile.
  5. Click Add to save the changes. The new rule appears on the Firewall Rules screen.
  6. Click Publish to save all firewall policies.

Apply Match Criteria for Firewall Rules

You can apply the following match criteria types in a security rule:

  • Address
  • Application
  • DSCP
  • Protocol
  • URL

security-firewall-match-criteria.png

To specify the match criteria for a security rule:

  1. To specify protocol criteria for a security rule:
    1. Select the Protocol tab to display the protocol window.

      security-firewall-match-criteria-protocol.png
    2. In the Please Select field, select a protocol. Versa Portal automatically populates the next field with common port numbers.
    3. If needed, click the port number field and edit the port number range.
  2. To specify address criteria for a security rule:
    1. Select the Address tab to display the address window.

      security-firewall-match-criteria-address.png
    2. Click the toggle switch to enter the source or destination IP address. Then click Source.

      security-firewall-match-criteria-address1.png
    3. Enter a source IP address in CIDR format, and then click the icon-plus.png icon. To remove an IP address from the list, click the icon-minus.png icon.

      portal_security_add_firewall_rules_match_criteria_address_source.png
    4. Click Continue
    5. Enter a destination IP address in CIDR format, and then click the icon-plus.png icon. To remove an IP address from the list, click the icon-minus.png icon.

      portal_security_add_firewall_rules_match_criteria_address_destination.png
    6. Click Continue
  3. To specify application and application groups criteria for a security rule:
    1. Select the Application tab, and then click Click Here To Add or Modify Applications.

      security-firewall-match-criteria-application.png
    2. The Firewall Rules > Add Application popup window displays. Select the Applications tab, then select the application to include in the match list, or type the name of the application in the search box and then select it from the search results. Then, click Add.

      security-firewall-match-criteria-application1.png
      • Click + Custom Applications to create a new custom application object. For more information, see Add Custom Applications.
    3. Select the Application Groups tab, and then select predefined application groups to include in the match list, or type the name of the application group in the search box and then select it from the search results. Then, click Add.

      security-firewall-match-criteria-application2.png
  4. To specify URL criteria for a security rule:
    1. Select the URL tab to display the URL window.

      security-firewall-match-criteria-url.png
    2. In the URL Category section, click Click Here To Add or Modify URLs to select URL categories.

      security-firewall-match-criteria-url1.png
    3. Click Add.
    4. In the URL Reputation section, click Click Here To Add or Modify to select URL reputations.

      security-firewall-match-criteria-url2.png
    5. Click Continue. In the Customize option, modify the URL reputation.
  5. To specify DSCP criteria for a security rule, select the DSCP tab and then enter a DSCP value. DSCP allows you to classify and manage network traffic and to provide quality of service (QoS) in Layer 3 networks. It uses the 6-bit differentiated services code point (DSCP) field in the IP header to classify packets.

    security-firewall-match-criteria-dscp.png

To edit or delete a rule:

  1. In the Security > Rules tab, click a rule name to edit a rule.
  2. In the Security > Rules tab, click the X to delete a rule.
  3. Click Save to save the changes to the Versa cloud.

Configure Lookup URL Settings 

  1. In the Configuration > Security Policy > Firewall Rules > Add Rules screen, select the URL tab in the Match Criteria section.
  2. In the URL Category section, click Click Here To Add or Modify URLs to select URL categories, and then click Lookup URL.

    firewall-rules-lookup-url.png
  3. In the Lookup URL search bar, enter a URL to look up the mappings to predefined or custom URL reputation and category. For example, enter www.google.com. The Lookup URL Result section displays information about the URL, including its category and reputation.

    lookup-url-settings.png
  4. Click Clear to clear the look up URL result.
  5. Click Back to return to the Add Rules screen.

Manage Security Profile Definitions

Security profile definitions contain the following components:

  • Antivirus settings
  • File filter
  • Geo IP filter
  • Intrusion Prevention System (IPS) settings
  • URL settings, including a deny URL and allow URL

You can manage individual components from the Security screen. You can enable or disable all components with one click from the Inventory menu. See Manage Device License Inventory.

To manage the security profile components:

  1. From the Configuration > Security tab, click the Security Policy to open the Security settings screen.

    security-policy-home.png
  2. Slide the toggle to turn individual security components on or off.

Configure a URL Deny List

Add websites to be blocked on the network so that users cannot access the sites. Add multiple websites by separating them with a comma.

To add URLs to a deny list:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the instance in the honeycomb and click Configure to open the site information window.
  3. Click Next to open the Configuration > Network screen.
  4. Click the Security tab.
  5. In the Security Profile Definition section, click Deny URLs to open the Configuration > Security > Deny URLs screen.

    deny-urls.png
     
  6. Enter a single URL or enter multiple URLs separated by a comma.
  7. Click + Add URL to add URLs to the Deny URL list.
  8. Click Publish to save the settings.

To delete URLs from the list, click the X next to the URL.

Configure a URL Accept List

Add websites allowed on the network, even if blocked by other settings. Add multiple websites by separating them with a comma.

To add URLs to the accept list:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the instance in the honeycomb and click Configure to open the site information window.
  3. Click Next to open the Configuration > Network screen.
  4. Click the Security tab.
    1. In the Security Profile Definition section, click Allow URLs to open the Configuration > Security > Allow URLs screen.

      allow-urls.png
       
  5. Enter a single URL or enter multiple URLs separated by a comma.
  6. Click + Add URL to add URLs to the Allow URLs list.
  7. Click Publish to save the settings.

To delete URLs from the list, click the X next to the URL.

Configure URL Categories

To set a category filter for types of URLs to allow or block:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the instance in the honeycomb and click Configure to open the site information window.
  3. Click Next to open the Configuration > Network screen.
  4. Click the Security tab.
  5. Click a Category level to open the configuration screen for that level:
  6. Click to select the categories to Block or Alert & Confirm.
  7. Click Publish to save the settings.

Configure IP Reputation Filtering

To set a reputation filter for types of URLs to allow or block:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the instance in the honeycomb and click Configure to open the site information window.
  3. Click Next to open the Configuration > Network screen.
  4. Click the Security tab.
  5. Click a Reputation level to open the configuration screen for that level:
  6. Click to select the reputation level.
    Field Description
    Red Blocked
    Amber Ask
    Blue Allowed
    High-Risk IP Addresses

    IP addresses with a higher than average predictive risk for delivering attacks to infrastructure or endpoints.

    Range: 1 through 20
    Suspicious IP Addresses IP addresses with a higher than average predictive risk for delivering attacks to infrastructure or endpoints.
    Range: 21 through 40
    Moderate Risk Generally benign IP addresses that have exhibited some potential risk characteristics. There is some predictive risk that these IP addresses may deliver attacks to infrastructure or endpoints.
    Range: 41 through 60
    Low Risk Benign IP addresses that rarely exhibit some characteristics that may expose infrastructure and endpoints to security risks. There is a low predictive risk of attack.
    Range: 61 through 80
    Trustworthy Clean IP addresses that have not been tied to a security risk. There is a low predictive risk that infrastructure and endpoints may be exposed to attack.
    Range: 81 through 100
  7. Click Publish to save the settings.

Configure Antivirus Protection

To choose where to apply antivirus protection:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the instance in the honeycomb and click Configure to open the site information window.
  3. Click Next to open the Configuration > Network screen.
  4. Click the Security tab.
  5. Click an Antivirus level to complete the configuration:
    • Low—Web Traffic
    • Standard—Email Attachment
    • Advanced—Web and Email Attachment
  6. Click Publish to save the settings.

Configure Intrusion Prevention System

To configure IPS:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the instance in the honeycomb and click Configure to open the site information window.
  3. Click Next to open the Configuration > Network screen.
  4. Click the Security tab.
  5. Click to choose an Intrusion Detection Protection level to open the configuration screen for that level:
    • Low
    • Standard
    • Advanced

      intrusion-detection-prevention.png
       
  6. Enter information for the following fields.
     
    Field Description
    Choose Intrusion Detection Prevention Level

    Click the toggle to set attack detection level. The following values are the default settings for the selected Intrusion Detection Protection level:

    • Low—Client Protection. Loads all client-side attack detection.
    • Standard—Standard Recommended Profile. Recommended profile for adequate security and performance.
    • Advanced—All attack rules. Loads all attack signatures.
    All Anomaly Rules Load all the anomaly signatures.
    All Attack Rules Load all attack signatures. This is the default protection in the Advanced setting.
    Client Protection This profile loads all client-side attack detection.
    Database Profile Load the Oracle database server vulnerability signatures.
    ICS Profile Load the Industrial Control System (ICS) vulnerability signatures.
    Linux OS Profile Detect all attacks related to Linux OS.
    MAC OS Profile Detect all attacks related to MAC OS.
    Malware Profile Detect all antivirus attacks.
    Server Protection Detect server-side attacks.
    Standard Recommended Profile This profile is the one recommended by Versa for adequate security and performance.
    Windows OS Profile Detect attacks specific to Windows OS.
  7. Click Publish to save the settings.

Configure Geolocation IP Filtering

​Traffic passing through the network may have IP addresses that are associated with a bad reputation and that may cause security risk to your network. To block IP addresses based on IP address reputation and IP address metadata such as geolocation, you can configure IP address–filtering profiles and then associate them with security rules under apply security profile. Versa Networks provides a list of predefined regions that you can use to create IP-filtering profiles based on geolocation.

After a user creates geolocation IP-filtering profiles, you can associate the profile with any security firewall rule.

You can match the IP address based on the following match criteria:

  • Destination IP address
  • Source IP address
  • Source and destination IP address
  • Source or destination IP address

When a session's IP address matches the conditions in an IP-filtering profile, you can enforce the following actions:

  • Allow
  • Alert
  • Drop packet
  • Drop session
  • Reject

To configure a geolocation IP filter:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the instance in the honeycomb and click Configure to open the site information window.
  3. Click Next to open the Configuration > Network screen.
  4. Click the Security tab and then click Security Policy.
  5. In the Security Profile Definition section, click Geo IP Filter to open the Configuration > Security > Security Policy > Geo IP Filter screen.

    geo-ip-filter.png
    To display the action color code, click the geo-ip-color-code-icon.png action color code icon.

    geo-ip-filter-action.png
     
  6. Click +Profiles to add a new geolocation IP filter profile, and then enter information for the following fields.

    geo-ip-filter-add.png
     
    Field Description
    Profile Name (Required) Enter a name for the geolocation IP-filtering profile.
    Profile Action

    Select an action for geolocation reputation-based IP filtering.

    • Alert —Allow the IP address, and generate an entry in the IP-filtering log.
    • Allow —Allow the IP address, and do not generate an entry in the IP-filtering log.
    • Drop packet —The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Drop session —The browser waits for a response from the server and then drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Reject —Send an ICMP unreachable message back to the client and reset the connection to the server.
    Prioritize URL Reputation Click to prioritize the URL reputation over the IP reputation. When you select this option, instead of blocking the traffic in IP filtering based on reputation, traffic is further evaluated with URL filtering. The URL reputation correlates with an actual website. When you configure an IP-filtering profile that blocks traffic based on IP reputation, some legitimate websites may be blocked. When the URL reputation meets the threshold you select in the Allow URL Reputation field, prioritizing the URL reputation overrides the IP Reputation Action.
    • Allow URL Reputation (Required)

    When you use Prioritize URL Reputation, select the priority to assign to the URL reputation when traffic is evaluated:

    • High risk (Priority 4)
    • Moderate risk (Priority 3)
    • Low risk (Priority 2)
    • Suspicious (Priority 1)
    • Trustworthy (Priority 0)—Ignore a website that is labeled as one with a bad reputation, or ignore an HTTP/SSL URL reputation check that indicates a bad IP reputation.
    Geo IP-Based Action (Group of Fields)  
    • Geo IP-Based Action Rule

    Click the add-icon.png icon to add actions for geographical reputation-based IP filtering. You can add multiple action rules.

     

    geo-ip-filter-file-based-action.png
    • Name (Required)
    		 Enter a name for the geo IP-based action rule.
    • Regions (Required)
    		 Select the Geo IP-filtering region and then click Continue.

    geo-ip-filter-file-based-action-region.png
    • Match Type

    Select the match criteria for the IP address:

    • Match only source IP address

    • Match only destination IP address

    • Match source and destination IP address

    • Match source or destination IP address
    • Action

    Select an action for file-based action rule and click Add.

    • Alert —Allow the IP address, and generate an entry in the IP-filtering log.
    • Allow —Allow the IP address, and do not generate an entry in the IP active filtering log.
    • Drop packet —The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Drop session —The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Reject —Send an ICMP unreachable message back to the client and resets the connection to the server.
  7. Click Add.

Configure File Filtering

You can use file filtering to reduce the risk of attacks from virus and vulnerabilities that are associated with various types of files, thus decreasing an attacker's ability to attack your organization by sending unwanted or malicious files. File filtering is performed based on the file type and the hash of the file.

You can configure file filtering to block the transfer of potentially dangerous files and types of files (that is, files associated with specific applications), files of specific sizes, files associated with specific protocols, and files being sent in a particular direction. You can configure file filtering to perform reputation-based file hash lookups on a cloud server.

The file-filtering process is performed in the following sequence:

  1. Scan the early bytes of an incoming file, and identify the file type.
  2. Search the configured rules to check whether the file type, file size, protocol, and direction match one of the rules.
    1. If a match occurs, take the appropriate rule action.
    2. If no match occurs, perform a cloud lookup.
  3. Perform a cloud lookup, sending the hash of the file, to check the file's reputation.
  4. If the hash of the file is found, take the configure action. A hash can indicate that the file is clean, malicious, or suspicious.
  5. If the file matches none of these, take the default action defined in the file-filtering profile.

To configure file filtering:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the instance in the honeycomb, and then click Configure to open the site information window.
  3. Click Next to open the Configuration > Network screen.
  4. Click the Security tab and then click Security Policy.
  5. In the Security Profile Definition section, click File Filters to open the Configuration > Security > Security Policy > File Filter screen.

    file-filter.png
    To display the action color code, click the geo-ip-color-code-icon.png action color code icon.

    file-filter-action-color.png
  6. Click +Profiles to add a new file-filtering profile, and then enter information for the following fields.

    file-filter-add-profile.png
     
    Field Description
    Profile Name (Required) Enter a name for the file-filtering profile.
    Description Enter a text description for the file-filtering profile.
    Protocol (Required)

    Select one or more protocols to filter the files:

    • FTP
    • HTTP
    • IMAP
    • MAPI
    • POP3
    • SMTP
    Default Action

    Select the default action to take on a file that enters the network. The default action is taken when a file matches no entries in a deny list, an allow list, or a cloud lookup.

    • Alert—Allow the file to pass and, if a LEF profile is configured, log the action.
    • Allow—Allow the file to pass and log the action.
    • Block—Do not allow the file to pass and, if a LEF profile is configured, log the action.
    • Reject—Reset the connection to the server and client and, if a LEF profile is configured, log the action.
    Logging

    Click to configure logging:

    • None—Click to perform no logging.
    • Default—Click to use the default logging.
    • Custom—Click to configure logging to a customer log server. Based on the rule match, the instance sends many log messages.

      security-policy-file-filter-logging.png
    • Please Select—If you select Custom, click the down arrow to select a log profile. To create a new custom flow logs profile, click icon-log-server.png. For more information, see Add Custom Logs Profile.
  7. Select the File-Based Action tab to configure file-filtering rules for file properties, such as file type, file size, protocol, and direction.

    security-policy-file-filter-file-based-action-tab.png
  8. Click the add-icon.png Add icon. In the Add File-Based Action Rule popup window, enter information for the following fields, and then click Add.

    security-policy-file-filter-file-based-action-add.png
     
    Field Description
    Name (Required) Enter a name for the file action.
    Description Enter a text description for the file action.
    File Size

    Enter a file size, in bytes. The file filter is applied to any file larger than this size.

    Range: 0 through 4294967295 bytes

    Default: None
    File Type (Required)

    Click the Selected link to add the file type for which to apply the file filter. In the Selected File Type popup window, select the file types, and then click Continue. You can select multiple file types.
     

    security-policy-file-filter-file-based-action-file-type.png
    Protocol (Required)

    Click the Selected link to add the protocols to associate with the file transfer. In the Selected Protocol popup window, select the protocol, and then click Continue. You can select multiple protocols.
     

    security-policy-file-filter-file-based-action-protocol.png
    Direction (Required)

    Select the direction in which to apply the file filter:

    • Download
    • Upload
    • Both
    Action

    Select the default action to take on a file:

    • Alert—Allow the file to pass and, if a LEF profile is configured, log the action.
    • Allow—Allow the file to pass without logging the action.
    • Block—Do not allow the file to pass and, if a LEF profile is configured, log the action.
    • Reject—Reset the connection to the server and client and, if a LEF profile is configured, log the action.
  9. Select the Reputation-Based Action tab to configure file-filtering rules for cloud-based hash lookups, and enter information for the following fields.

    security-policy-file-filter-reputation-based-action-tab.png
     
    Field Description
    Cloud Lookup Click to enable cloud lookup of a file for its reputation and select a file filter cloud profile. To add a new file filter cloud profile, see step 9a.
    Enable Logging Click to store logs.
    Action

    Select the default action to take on a file:

    • Alert—Allow the file to pass and, if a LEF profile is configured, log the action.
    • Allow—Allow the file to pass without logging the action.
    • Block—Do not allow the file to pass and, if a LEF profile is configured, log the action.
    • Reject—Reset the connection to the server and client and, if a LEF profile is configured, log the action.
    1. To add a new file filter cloud profile, click + File Filter Cloud Profile and enter information for the following fields.

      file-filter-cloud-profile1.png
       
      Field Description
      Name (Required) Enter a name for the cloud profile.
      Description Enter a text description for the cloud profile.
      Source NAT List (Required)

      Select the SNAT pool to configure cloud lookup for file filtering. The SNAT pool is linked to a routing instance that connects to the cloud server.

      To create an SNAT pool profile, click snat-pool-icon.png and enter information for the following fields.

      create-snat-pool.png

      • Name (Required)—Enter a name for the SNAT pool.
      • Egress Network (Required)—Select an egress network to associate with the SNAT pool.

      Click Add, and then click Continue.
      Connection Pool (Required)

      Enter the number of simultaneous connections to the SSL cloud server.

      Range: 1 to 100000

      Default: None
      Timeout

      Enter the maximum timeout period to wait for a response from the SSL cloud server, in seconds.

      Range: 1 through 4294967295 seconds

      Default: 120 seconds
      Activation Click the toggle to activate the cloud lookup profile.
    2. Click Add. The cloud profile displays in the list.
  10. Click Add.

Configure TLS Decryption

Transport Layer Security (TLS) decryption enforces security policies on encrypted traffic to prevent malicious content from entering the network and to protect sensitive data disguised as encrypted traffic from leaving the network. TLS decryption is supported only when you enable advanced firewall security settings and the professional license type. That is, you must enable a firewall, security profile, antivirus, and IPS to configure TLS decryption. This feature is available only when the license is activated and running.

The following table describes information about TLS certificate management.

Certificate Management MSP Provider Organization MSP Tenant Organization Branch or Hub Notes
System-generated TLS decryption certificate TLS decryption profile configured with default certificate. The certificate name and provider organization name are the same. TLS decryption profile configured with default certificate. The certificate name and tenant organization name are the same. TLS decryption profile configured with default certificate. The certificate name and tenant organization name are the same. System generates TLS decryption certificate with the organization name using Versa root certificate.
User-generated TLS decryption certificate User can upload their own certificate. User cannot upload their own certificate. User can upload their own certificate. Only license owner can upload their own certificate.

Prerequisites for TLS Decryption

Before you create a TLS decryption rule:

  • Create a profile for decryption. To decrypt the TLS traffic to inspect for malware, you upload the certificate and its associated private key. By default, Versa Portal provides a unique Versa-generated certificate and associated private key for every organization that you can download and install on the customer's end devices to connect to gateways. Alternately, you can use your own private key and certificate. To upload or download a certificate, see Upload a Certificate.
  • For tenant organizations, you need to create a TLS decryption profile and rule. However, for provider organizations, default security rules are created and applied. You need to enable decryption and configure the URL category.
  • Create a firewall rule without source and destination zones. The default destination port must be 44991 and 8080. If you have configured any other ports as part of captive portal, then you have to configure those ports as the destination ports for TLS decryption.

Configure TLS Decryption Profile

To decrypt or inspect traffic properties, you create an SSL decryption profile and associate it with a decryption policy rule. The decryption profile is applied to traffic that matches the decryption rule.

You can use two types of SSL proxies with a TLS decryption profile:

  • SSL forward proxy—This is a transparent proxy that can decrypt and encrypt the SSL/TLS traffic between the client and the server. With a transparent proxy, neither the client nor the server knows about the proxy’s presence. Rather, the proxy acts as server towards the client and as a client towards the server.
    Whether to decrypt can be controlled through the decryption policy. When the client initiates an SSL/TLS handshake towards the server, the proxy applies the decryption policy to determine whether the traffic needs to be decrypted. If the policy action is to decrypt, the proxy uses the matching SSL profile to initiate the SSL handshake towards the server, and the policy inspects the server certificate and other SSL attributes from the SSL handshake stream. If the inspection is successful, the proxy completes the SSL handshake with server and generates a server certificate signed with the public key specified in the SSL proxy profile, and it resumes the SSL handshake towards the client. After the SSL handshake between the client and the proxy completes, the proxy is able to decrypt application traffic sent by the client, Once decrypted, the traffic can be examined by the other services in the firewall service chain before before it is encrypted and sent to the server.
  • SSL full proxy—This proxy works in two modes, explicit and transparent:
    • Explicit—Processes SSL/TLS traffic destined to a specific IP address and a specific port. On the client, you configure the proxy IP address and the port. The explicit SSL full proxy works as follows:
      • The client connects to the configured proxy IP address and port and sends an HTTP Connect request.
      • The SSL full proxy parses the HTTP Connect request and extracts the domain that the client wants to connect to. The proxy uses the domain and other Layer 3 and Layer 4 parameters to locate a decryption policy. If the proxy finds a decryption policy, it decrypts or bypasses the SSL connection based on the action in the policy. If there is no policy, decryption is bypassed.
      • The SSL full proxy responds with a 200 OK message. When the proxy receives a client Hello message, if the policy decision was to decrypt, the SSL proxy responds with server Hello message and the remainder of the handshake message between the client and the proxy is exchanged.
      • After the handshake completes, the client does a GET or a POST on the connection.
      • The proxy parses the HTTP request and extracts the domain name and port from the URL. The proxy then performs a DNS resolution of that domain and opens a connection towards the resolved IP address using the source IP address and port from the configured SNAT pool referenced in the HTTP proxy profile.
      • After the connection is successful, the proxy initiates the SSL handshake with the server and then forwards the HTTP request to the server.
      • All the other services in the service chain, such as PS/IDS and antivirus, examine the decrypted stream to look for any threats, and they may drop the packet based on the outcome of their examination.
    • Transparent—Processes SSL/TLS traffic destined to any IP address but to a specific port. The transparent process works the same was as the explicit process, except for the DNS resolution process. Because the destination IP address is the actual address of the server, the proxy skips DNS resolution, and DNS resolution is done on the client, and the client opens the connection to the server IP address. The proxy uses the SNAT pool configured in the HTTPS proxy profile to performs source NATing.

To configure TLS decryption profile:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the instance in the honeycomb and click Configure to open the site information window.
  3. Click the Security tab, and then click Decryption.

    security-decryption.png
     
  4. Click the profile-icon.png icon in the Profiles section to create a profile for decryption.

    security-decryption-config.png
     
  5. In the Decryption Add window, enter information for the following fields.

    security-decryption-profile-add.png
     
    Field Description
    Profile Name (Required) Enter a name for the decryption profile.
    SSL Type

    Select the decryption type to use with the profile:

    • SSL Forward Proxy
    • SSL Full Proxy—This proxy works in one of two modes, explicit or transparent.

      security-decryption-profile-ssl-full-proxy.png
      • Explicit—Click to process SSL/TLS traffic destined to a specific IP address and a specific port.
      • Transparent—Click to process SSL/TLS traffic destined to any IP address but to a specific port.
      • Match Rules—Displays the names of the configured match rules. To add a rule, click the add-rule-icon.png Add Rule icon to enter the following information in the Match Rule window.

        security-decryption-profile-ssl-full-proxy-match-rule.png
      • Rule Name (Required)—Enter a unique name for the rule.
      • Routing Instance—Click the Routing Instance link. In the Routing Instance popup window, select a routing instance to associate with the match rule.

        security-decryption-profile-ssl-full-proxy-routing-instance.png
      • Destination Ports (Required)—Click the Ports link. In the Destination Ports popup window, enter the port number to explicitly or transparently decrypt traffic originating from that port.
        security-decryption-profile-add-ssl-full-proxy-match-rule-dest-port.png
      • Destination IP Prefix—For transparent decryption, click the Prefix link. In the Destination IP Prefix popup window, enter destination IP address prefix to match for connections.

        security-decryption-profile-add-ssl-full-proxy-match-rule-dest-prefix.png
      • Destination IP Address—For explicit decryption, click the Address link. In the Destination IP Address popup window, enter destination IP address to match for connections.
    Start TLS

    For SSL forward proxy decryption, select how to start the TLS connection:

    • IMAP
    • POP3
    • SMTP
    • User Extended Master Secret
    		 Click to use the TLS extended master secret extension, This option helps to prevent man-in-the-middle attacks.
    CA Certificate

    Click to upload a certificate and its associated private key. In the Certificate List popup window, select the certificate and then click Continue.
    certificate-list-tls.png

    If you need to upload your own certificate, you can add the key and then add the certificate for the provider organization. You cannot upload your own certificate for tenant organizations.
    TLS Inspection  
    • Restrict Certificate Extension
    		 Click to restrict certificate extensions.
    Certificate Checks (Group of Fields)  
    • Expired Certificate

    Select the action to take when the server certificate expires:

    • Alert—Allow the decrypt session and generate an entry in the SSL log.
    • Allow—Allow the decrypt session without generating an entry in the SSL log.
    • Drop packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Drop session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Reject session—The browser displays an alert and resets the connection to the server. It is not possible to determine whether this occurred because of a delayed response from the server or because a firewall blocked access to the website.
    • Untrusted Issuer

    Select the action to imply when the certificate is from an untrusted issuer:

    • Alert—Allow the decrypt session and generate an entry in the SSL log.
    • Allow—Allow the decrypt session without generating an entry in the SSL log.
    • Drop packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Drop session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Reject session—The browser displays an alert and resets the connection to the server. It is not possible to determine whether this occurred because of a delayed response from the server or because a firewall blocked access to the website.
    Mode Checks (Group of Fields)  
    • Unsupported Cipher

    Select the action to take when the decryption encounters an unsupported cipher:

    • Alert—Allow the decrypt session and generate an entry in the SSL log.
    • Allow—Allow the decrypt session without generating an entry in the SSL log.
    • Drop packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Drop session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Reject—The browser displays an alert and resets the connection to the server. It is not possible to determine whether this occurred because of a delayed response from the server or because a firewall blocked access to the website.
    • Unsupported Key Length

    Select the action to take when the decryption encounters an unsupported key length:

    • Alert—Allow the decrypt session and generate an entry in the SSL log.
    • Allow—Allow the decrypt session without generating an entry in the SSL log.
    • Drop packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Drop session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Reject—The browser displays an alert and resets the connection to the server. It is not possible to determine whether this occurred because of a delayed response from the server or because a firewall blocked access to the website.
    • Unsupported Version

    Select the action to take when the decryption encounters an unsupported CA version:

    • Alert—Allow the decrypt session and generate an entry in the SSL log.
    • Allow—Allow the decrypt session without generating an entry in the SSL log.
    • Drop packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Drop session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Reject—The browser displays an alert and resets the connection to the server. It is not possible to determine whether this occurred because of a delayed response from the server or because a firewall blocked access to the website.
    • Minimum Supported Key Length

    Enter the minimum RSA key length, in bits.

    Range: 512 through 65535

    Default: 512
    TLS Protocol

    Select the TLS protocol:

    • Minimum Version—Select the minimum version of TLS protocol that is supported. The minimum version must be the same as or earlier than the maximum version.
      • TLS 1.1
      • TLS 1.2
      • TLS 1.3
    • Maximum Version—Select the maximum version of TLS protocol that is supported. The maximum version must be the same as or later than the minimum version. The options displayed depend on the version you select in the Minimum Version field. For example, if the minimum version is TLS 1.1, the options TLS 1.1, TLS 1.2, and TLS 1.3 are displayed. If the minimum version is TLS 1.2, the options TLS 1.2 and TLS 1.3 are displayed.
    Key Exchange Algorithms

    When you select minimum and maximum TLS versions and the version is not TLS 1.3, select one or more key exchange algorithms for the SSL connection:

    • ECDHE—Elliptic-curve Diffie–Hellman Key Exchange
    • RSA—Rivest–Shamir–Adleman algorithm
    Encryption Algorithms

    Select an encryption algorithm to use:

    • AES-128-CBC—AES CBC encryption algorithm with 128-bit key
    • AES-128-GCM—AES GCM encryption algorithm with 128-bit key
    • AES-256-CBC—AES CBC encryption algorithm with 256-bit key
    • AES-256-GCM—AES GCM encryption algorithm with 256-bit key
    • Camellia-256-CBC—Camellia encryption algorithm with 256-bit key
    • Chacha20-Poly1305—ChaCha stream cipher and Poly1305 authenticator
    • Seed CBC—TLS RSA with seed CBC
    Authentication Algorithms

    Click to have the selected LEF profile be the default LEF profile:

    • SHA—Secure Hash Algorithm
    • SHA-256—Secure Hash Algorithm 2 with 256-bit digest
    • SHA-384—Secure Hash Algorithm 2 with 384-bit digest
    Cipher Suites

    Select a TLS cipher suite. If you select a cipher suite, it must be consistent with the selected key exchange, encryption, and authentication algorithms. If you do not configure cipher suites, all cipher suites matching the selected the key exchange, encryption, and authentication algorithms are selected by default.

    • TLS-AES-128-GCM-SHA256
    • TLS-AES-256-GCM-SHA384
    • TLS-CHACHA20-POLY1305-SHA256
    • TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
    • TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
    • TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
    • TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
    • TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
    • TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
    • TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
    • TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
    • TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
    • TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
    • TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
    • TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
    • TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
    • TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
    • TLS-RSA-WITH-AES-128-CBC-SHA
    • TLS-RSA-WITH-AES-128-CBC-SHA256
    • TLS-RSA-WITH-AES-128-GCM-SHA256
    • TLS-RSA-WITH-AES-256-CBC-SHA
    • TLS-RSA-WITH-AES-256-CBC-SHA256
    • TLS-RSA-WITH-AES-256-GCM-SHA384
    • TLS-RSA-WITH-CAMELLIA-256-CBC-SHA
    • TLS-RSA-WITH-SEED-CBC-SHA
    Logging (Group of Fields)  
    • None
    		 Click to perform no logging.
    • Default
    		 Click to use default logging.
    • Custom
    		 Click to configure logging to a customer log server. Based on the rule match, the instance may send many log messages.
    portal_security_logging.png
    • Please Select
    		 If you select Custom, click the down arrow to select a log profile. To create a new custom flow logs profile, click icon-log-server.png. For more information, see Add Custom Logs Profile.
  6. Click Add.

Configure TLS Decryption Rule

In a TLS ecryption rule, you define the traffic of interest, and for matching traffic you define whether to decrypt the traffic, inspect the traffic, or both decrypt and inspect it. Create a TLS decryption rule without source and destination zones, or only configure the destination zone.

To configure TLS decryption rule:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the instance in the honeycomb and click Configure to open the site information window.
  3. Click the Security tab, and then click Decryption.

    security-decryption.png
     
  4. Click the rule-icon.png icon in the TLS Decryption section to create a rule for decryption.

    security-decryption-config.png

    Each rule displays a numbered circle indicating its position in the rule set. Circle color indicates whether a rule decrypt (red) or decrypt bypass (green) traffic. By default, the rules are displayed in grid view. To change the view to list, click the list view icon. To pin the view to grid or list for the login session, use the pin icon.
  5. If needed, click Reorder Rules to enter rule reorder mode.
    1. To change a rule order, click the colored circle and drag the rule to a different spot in the rule set. The rule numbers are updated automatically.
    2. Click Publish Reordered Rules to save the changes to the Versa cloud.
  6. In the Decryption Add window, enter information for the following fields.

    security-decryption-rule-add.png
     
    Field Description
    Rule Name (Required) Enter a name for the decryption rule. Slide the toggle to enable or disable rules.
    Description Enter a text description for the rule. It can be a maximum of 63 characters.
    Match Criteria Click Protocol, Address, or URL tab to add details for that criteria type. For more information, see Apply Match Criteria for TLS Decryption Rules, below.
    Scope (Group of Fields) Select the traffic source and destination.
    • Source
    		 Click the down arrow in the Please Select list. Select the source network security zone to which to apply the decryption policy rule to traffic coming from any interface in the zone, and then click Continue.

    source-zone.png
    • Untrust (Internet)—Select for internet-facing WAN interfaces.
    • Wired LAN—Select for LAN interfaces that are controlled by enterprises.
    • Wireless LAN—Select for LAN interfaces that are on wireless networks.
    Arrow Choose a Portal_one_way_arrow.png one-way or Portal_two_way_arrow.png two-way connection.
    • Destination
    		 Destination zone is not applicable.
    Action

    Select the action to take on the traffic:

    • Decrypt—Click to enable decryption.
    • Decrypt Bypass—Click to bypass the decryption of SSL traffic that matches the predefined actions.
    Select Profile If the action selected is decrypt, select the decryption profile.
  7. Click Add.

Apply Match Criteria for TLS Decryption Rules

You can use the following match criteria types in a TLS decryption rule:

  • Protocol
  • Address
  • URL

To specify match criteria for a TLS decryption rule:

  1. To specify protocol criteria for a TLS decryption rule:
    1. Select the Protocol tab to display the protocol window.

      security-decryption-rule-match-protocol.png
       
    2. In the Please Select field, select a protocol. Versa Portal automatically populates the next field with common port numbers.
    3. If needed, click the port number field and edit the port number range.
  2. To specify address criteria for a TLS decryption rule:
    1. Select the Address tab to display the address window.

      security-decryption-rule-match-address.png
    2. Click the toggle switch to enter the source or destination IP address. Then click Source.

      security-decryption-rule-match-address1.png
       
    3. Enter a source IP address in CIDR format, and then click the icon. To remove an IP address from the list, click the icon.

      portal_security_add_firewall_rules_match_criteria_address_source.png
    4. Click Continue
    5. Enter a destination IP address in CIDR format, and then click the icon-plus.png icon. To remove an IP address from the list, click the icon-minus.png icon.

      portal_security_add_firewall_rules_match_criteria_address_destination.png
    6. Click Continue
  3. To specify URL criteria for a TLS decryption rule:
    1. Select the URL tab to display the URL window.

      security-decryption-rule-match-url.png
    2. Enter the URL pattern, for example, https://google.*. You can save the URL patterns in .txt file format and add multiple .txt files separated by a comma. Click Browse File to add te file.
    3. In the URL Category section, select the URL categories to decrypt. Versa instances support a wide range of predefined URL categories that you can apply in different types of security policies. You can look up URL categories in the database of predefined URL database to determine the URL category. The predefined URL database is updated daily or in real time as part of security package (SPack) updates.

      security-decryption-rule-match-url-category.png
    4. Click Add.
    5. In the URL Reputation section, select the URL reputation to decrypt and click Continue.

      security-decryption-rule-match-url-reputation.png
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
    Product
    Titan
  2. Tags
    This page has no tags.