Skip to main content
Versa Networks

Configure SD-WAN TLS Decryption

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

Transport Layer Security (TLS) is a widely-adopted security protocol that provides privacy and data security for communications over the internet. A primary use case for TLS is encrypting the communications between web applications and servers, such as web browsers loading a website. TLS can also be used to encrypt other communications, such as email, messaging, and voice over IP (VoIP).

TLS decryption uses two mechanisms to secure traffic:

  • Handshake protocol—Authenticates the client and server devices at both ends of a secure communications channel, negotiates cryptographic modes and parameters, and establishes shared keying material to negotiate the security parameters of a connection. The handshake protocol then sends messages to the TLS record protocol.
  • Record protocol—Takes transmitted messages from the handshake protocol, fragments the data into manageable blocks, protects the records, and transmits the result. The data received is verified, decrypted, reassembled, and then delivered to higher-level clients.

To configure SD-WAN TLS decryption, you create TLS decryption policies and profiles. Decryption enforces security policies on encrypted traffic to help prevent malicious content from entering the network and to protect sensitive data disguised as encrypted traffic from leaving the network. You can configure a decryption profile with SSL inspection and policy enforcement information. This article describes how to configure the decryption policies and profiles.

Create a TLS Decryption Policy

You can create a TLS decryption policy as part of a main template, or you can create it separately and then associate it with a main template. For more information on main templates, see Configure Main Templates

  • To create a TLS decryption policy for an existing main template:
    1. In Tenant view, select Configure > SD-WAN > Main Templates.
    2. Select the main template for which you want to configure the policy.
    3. Select step 7, Security, and then select the TLS Decryption tab.

      mtemplate-add-tls-decr-add-new-policy.png
    4. Click Add New TLS Decryption Policy.
    5. Continue to Configure TLS Decryption Rules, below.
       
  • To create a TLS decryption policy separately from a main template:
    1. In Tenant view, select Configure > Secure SD-WAN > Security > Policies.

      security-policies-left-nav.png
    2. On the Policies screen, select the TLS Decryption tab.
      • If you have not yet configured a TLS decryption policy, click Add TLS Decryption Policy.
      • If you have configured one or more TLS decryption policies, the following screen displays. Click the + icon.  

        tls-decryption-tab-addnew.png
    3. Continue to Configure TLS Decryption Rules, below.

Configure TLS Decryption Rules

  1. On the Add TLS Decryption Policy screen, click Add TLS Decryption Rule.

    add-tls-decryption-policy-rules.png

    The screen displays the workflow to create a rule, beginning with step 1, Decryption Enforcement.  

    create-rule-step1.png
  2. To configure a policy rule to decrypt traffic and inspect the server certificate, enter information for the following fields.
     
    Field Description
    Decrypt traffic and inspect the server certificate (Group of Fields) Select to decrypt and inspect all traffic. Decryption enforces security policies on encrypted traffic to help prevent malicious content from entering the network and to protect sensitive data disguised as encrypted traffic from leaving the network.
    • Use the following decryption profile

    Select an existing TLS decryption profile to use in the rule, or click + Create New to create a new profile.

    For information on creating a TLS decryption profile, see Configure SD-WAN TLS Decryption Profiles, below.
    • Bypass decryption for the following URL filtering profile (optional)

    Select an existing URL filtering profile to use in the rule, or click + Create New to create a new profile.

    For information on creating a URL Filtering profile, see Configure SD-WAN URL-Filtering Policies.
    Bypass Certificate-Pinned Traffic Click the toggle to enable dynamic bypass of TLS decryption for certificate-pinned applications for logged-in users.
  3. To configure a policy that does not decrypt and enforce security policy rules on traffic, enter information for the following fields.
      
    Field Description
    Do Not Decrypt (Group of Fields) Select to bypass decryption of the traffic. Select this option if you do not want to decrypt and enforce security rules on traffic because the traffic remains encrypted. This option should be used on sites, applications, or services you need for your organization.
    • Do not decrypt but do inspect the traffic

    Do not decrypt the traffic but inspect the traffic to identify, classify, and inspect the traffic for threats. 
    • Use the following decryption profile

    If you chose to inspect the traffic, select an existing TLS decryption profile to use in the rule, or click + Create New to create a new profile.

    For information on creating a TLS decryption profile, see Configure SD-WAN TLS Decryption Profiles, below.
    • Do not decrypt and do not inspect the traffic
    		 Click to allow traffic from certain trusted sites to pass without being inspected.
  4. Click Next to go to step 2, Applications and URLs. By default, all applications, URLs, and reputations are included in the match criteria. You can include or exclude specific applications, application groups, application categories, URL categories and URL reputations.

    To specify traffic for application groups, specific applications, application categories, and URL categories and reputations for the rule:
    1. Select the Applications > Application Groups tab.

      applications1.png
    2. To select specific application groups to include or exclude in the rule, click User Defined Application Groups, Predefined Application Groups, or both. Then select the application groups for the rule to match. You can use the Search bar to find specific application groups.
    3. Select the Applications > Applications tab.

      applications2.png
    4. To select specific applications, click User Defined Applications, Predefined Applications, or both. Then select the applications for the rule to match. You can use the Search bar to find specific applications.
    5. Select the Applications > Application Categories tab.

      applications3.png
    6. Select one or more user-defined and predefined application categories for the rule to match. You can use the Search bar to find specific application categories.
    7. Select the URLs and Reputations tab. 

      applications4.png
    8. In the URL Categories field, click the down arrow, and then select one or more URL categories for the rule to match.
    9. In the Reputations field, click the down arrow, and then select one or more reputations to include in the rule:
      • High risk
      • Low risk
      • Moderate risk
      • Suspicious
      • Trustworthy
      • Undefined
  5. Click Next or select step 3, Users and User Groups.
  6. By default, all users and groups are included. By default, all users and user groups are included in the match criteria. To customize which traffic to include or exclude from users & user groups:
    1. Click to select the user type for which you want to apply the rule:
      • All Users—Apply rule for all matched users. This is the default.
      • Selected Users—Apply rule for selected users. 
      • Known Users—Apply rule for all known (authenticated) users. 
      • Unknown Users—Apply rule only for users that are not authenticated. 

        tls-decryption-policy-rule-user-usergroups.png
    2. If you select the Selected Users option, the following screen displays. 

      users-match-selected-update.png
    3. Click the User and Device Authentication field to select a user authentication profile for the matched users and groups.
    4. On the User Groups tab, click the checkbox for each user group to include. You can search for specific user groups, or click Select All to include all user groups.
    5. Click the Users tab, and then click the checkbox for each user to include. You can search for specific users, or click Select All to include all users.
  7. Click Next or select step 4, Source & Destination Traffic.
  8. By default, traffic from all source and destination addresses and zones, and all sites, are included in the match criteria. You can include or exclude specific source and destination traffic to match the rule.

    To match traffic from specific source and destination addresses and zones, and all sites:
    1. Select the Source Addresses tab.

      src-dest-traffic-1.png
    2. Select a source address group or address object for the rule to match, or use the search box to find a source address group or object. To exclude the source address or addresses, click Negate Source Address.
      • To create an Address Group object, click the + icon. For more information, see Add Address Group.
      • To create an Address Object, click the + icon. For more information, see Add Address Object.
    3. To match on IP range, subnet, or wildcard, enter one or more values in the IP Range, Subnet, or Wildcard fields. 
    4. Select the Destination Addresses tab.

      src-dest-traffic-2.png
    5. Select a destination address group or object for the rule to match, or use the search box to find a source address or object. To exclude the destination address or addresses, click Negate Source Address.
      • To create an Address Group object, click the + icon. For more information, see Add Address Group.
      • To create an Address Object, click the + icon. For more information, see Add Address Object.
    6. To match on IP range, subnet, or wildcard, enter one or more values in the IP Range, Subnet, or Wildcard fields. 
    7. Click the Enable Match Anycast Address to enable match on an anycast IP address, which is a shared default gateway IP address. 
    8. Select the Source Zones & Sites tab to specify source zones to include in the match criteria. Select one or more source zones or source sites from the lists. You can also select an ingress routing instance.

      src-dest-traffic-3.png
    9. Select the Destination Zones & Sites tab to specify destination zones to include in the match criteria. Select one or more destination zones or destination sites from the lists. You can also select an egress routing instance.

      src-dest-traffic-4.png
  9. Click Next to go to step 5, Source and Destination Geolocation.
  10. Geolocation uses IP addresses to identify the location of connected devices. By default, source and destination traffic from all locations are included in the match criteria. You can specify the source and destination traffic to include or exclude in the match criteria based on geographic location.

    To specify the geographic locations to include or exclude:
     
    1. On the Source Geo Location tab, click the Country drop-down list to select a geographic category to search. 
    2. In the next field, type the name of the country, state, or city. When a match is found, it is added to the Selected list.
    3. To remove a country from the list, click the X next to the country name. To remove all selections, click Clear All.
    4. To exclude the selected geographic locations from the match criteria, click Negate Selection.
    5. Click the Destination Geo Location tab, and repeat steps 8a through 8d.

      geolocation.png
  11. Click Next to go to step 6, Services & DSCP. By default, all services, service groups, and DSCP's are included in the match criteria. 
  12. To specify the services, service groups, and DSCP to include:
    1. Select the Services tab.

      services-update.png
    2. Select the services to include in the match criteria. To filter the list, click All Types, and select Predefined or User Defined. You can also search by service name.
    3. Select the Service Groups tab.

      service-groups-update.png
    4. Select the service groups to include in the match criteria. You can search by service group name.
      • To create a service group object, click the + icon. For more information, see Add a Service Group.
    5. Select the DSCP tab. By default, all DSCP decimal values are included in the match criteria. You can specify which DSCP decimal values to include.

      services-dscp3.png
    6. Select one or more DSCP decimal values. The value range is 0 to 63. You can use the search bar to locate values.
  13. Click Next to go to step 7, Review and Submit.
  14. In the General section, enter information for the following fields.

    review-submit-rule.png
     
    Field Description

    Name

    		 Enter a name or the rule.

    Description

    		 (Optional) Enter a description for the rule.

    Tags

    		 (Optional) Enter one or more tags. A tag is an alphanumeric text descriptor with no spaces or special characters. You can specify multiple tags added for the same object. The tags are used for searching the objects.

    Schedule

    		 Select a schedule to set the time and frequency at which the rule is in effect.

    Rule Enabled

    		 Click to disable the rule once it is saved. By default, the rule is enabled.
  15. For all other sections, review the information. If you need to make changes, click edit-icon-blue-on-white.png Edit.
  16. Click Save TLS Decryption Rule. The Add TLS Decryption Policy screen displays the saved rule. 

    tls-decryption-rule.png
  17. To add another rule, click + Add in the horizontal menu. You can also select an existing rule and perform the following operations: 
    • Clone clone-icon.png—Creates a copy of the rule. You can change the default name of the cloned rule, if desired. The cloned rule then appears in the list of traffic steering rules.
    • Reorder reorder-icon.png—Reorder the selected policy rule. 
    • Delete delete-icon.png—Delete the selected policy rule. 
  18. Continue to Configure Permissions, Review, and Submit the Traffic Steering Policy, below. 

Configure Permissions, Review, and Submit the TLS Decryption Policy

  1. On the Add TLS Decryption Policy screen, select workflow step 2, Permissions. 

    The permission for each role is selected by default, and you can update it.

    permissions.png
     
  2. To change permissions for a role, select or deselect the Create, Read, Update, and Delete fields for the role, or you can click Next to go to step 3, Review & Submit.
  3. In the General section, enter information for the following fields.

    review-reuse.png

     

    Field Description

    Name

    		 Enter a name or the rule.

    Description

    		 (Optional) Enter a description for the rule.

    Tags

    		 (Optional) Enter one or more tags. A tag is an alphanumeric text descriptor with no spaces or special characters. You can specify multiple tags added for the same object. The tags are used for searching the objects.
    Reuse Options (For policies added through the Main Templates workflow) Click Reusable on Other Templates to make the policy usable in other main templates. Otherwise, click Not Reusable. If you mark the policy as reusable, the policy is listed in the Access Control Policies table at Configure > SD-WAN > Security > Access Control.
  4. Review the remaining sections. Click the pencil-icon-blue-on-white-22.png Edit icon in any section to make changes, as needed.
  5. Click Submit. The Security Profiles screen displays the saved profile in the TLS Decryption Profiles list. 

Configure SD-WAN TLS Decryption Profiles

  1. Select Configure > Secure SD-WAN > Security > Profiles.

    security-profiles-1.png
  2. Select the TLS Decryption tab.
    • If you have not yet configured a TLS decryption profile, click Add TLS Decryption Profile.
    • If you have configured one or more TLS decryption profiles, click + Add.
  3. The screen displays the workflow to create a profile, beginning with step 1, Profile Type.

    tls-decryption-flow.png
  4. In workflow step 1, Profile type, select the type of profile you want to configure:
    • Decryption Profile—Applies both decryption and inspection protocols that you can associate with your decryption rules.
    • Inspection Profile—Applies only inspection protocols that you can associate with your decryption rules.

      select-decryption-profile.png
  5. Click Next. 
    • If you selected Decryption Profile, the Certificate Setup screen displays. Continue to Step 6. 
    • If you selected Inspection Profile, the Inspection Options screen displays. Skip to Step 8. 
  6. On the Certificate Setup screen, click Previously Uploaded Certificates. 
    • To use a previously uploaded certificate, select the certificate from the drop-down list. The certificate information displays. Click the download-icon-blue-on-white.png Download icon to download and inspect the certificate. 
    • To create a new certificate, select + Create New from the drop-down list.  For more information, see the Add a Certificate section in Configure Reusable Objects.
  7. Click Next. 
  8. On the Inspection Options screen, enter information for the following fields.

    step2-inspection-options.png
     
    Field Description
    Transport Layer Security (TLS) Version Support  Click the slider to select the minimum and maximum TLS version that is supported. If you select a version that is not TLS 1.3, select one or both key exchange algorithms for the SSL connection.
    Certificate Validation (Group of Fields) Configure how to determine whether certificates are valid. 
    • Verify with OCSP
    		 Select to use the Online Certificate Status Protocol (OCSP) to verify a server certificate.
    • Block Unknown Certificates
    		 Select to block SSL sessions whose certificate status is unknown.
    • Response timeout (seconds) for an OCSP request

    Enter how long, in seconds, before an OCSP request times out.

    Default: 5 seconds

    Range: 1 to 255 seconds
    • Verify

    Select a device or devices to verify the certificate:

    • Client
    • Server
    •  Server and Client
    Server Certificate Actions (Group of Fields) Check whether certificates have been revoked. 
    • When the certificate expires, do the following:

    Select a security action to take when the certificate expires.

    You can select a predefined or a user-defined security action. To configure a user-defined security action, select + Create New. For more information, see Add Security Actions.

    Predefined actions:

    • Alert
    • Allow
    • Ask
    • Block
    • Drop Packet
    • Drop Session
    • Justify
    • Reject
    • When the certificate is received from an untrusted issuer, do the following
    		 Section a security action to take when a certificate is received from an untrusted issuer. 

    You can select a predefined or a user-defined security action. To configure a user-defined security action, select + Create New. For more information, see Add Security Actions.

    For predefined actions, see the field description above. 
    • Restrict Certificate Extension
    		 Click to choose whether to restrict the certificate key usage extensions to either digital signature or key encipherment.
    SSL or TLS Protocol Checks (Group of Fields)  
    • When the negotiated SSL or TLS protocol between the client and server uses an unsupported key length, do the following:

    Select a security action to take when SSL or TLS between the client and server uses an unsupported key length.

    You can select a predefined or a user-defined security action. To configure a user-defined security action, select + Create New. For more information, see Add Security Actions.

    For predefined actions, see the field description for Server Certificate Actions, above. 
    • Minimum Supported RSA Key Length

    Enter the minimum supported RSA key length, in bits.

    Default: 1024 bit

    Range: 512 bits or longer
    • When the negotiated SSL or TLS protocol between the client and server uses an unsupported cipher, do the following:

    Select a security action to take when SSL or TLS between the client and server uses an unsupported cipher.

    You can select a predefined or a user-defined security action. To configure a user-defined security action, select + Create New. For more information, see Add Security Actions.

    For predefined actions, see the field description for Server Certificate Actions, above. 
    • When the negotiated SSL or TLS protocol between the client and server uses an unsupported protocol version, do the following:

    Select a security action to take when SSL or TLS between the client and server uses an unsupported protocol version.

    You can select a predefined or a user-defined security action. To configure a user-defined security action, select + Create New. For more information, see Add Security Actions

    For predefined actions, see the field description for Server Certificate Actions, above. 
  9. Click Next.
    • If you selected Decryption Profile as the profile type, workflow step 4, Decryption Options displays. Enter information for the following fields.
    • If you selected Inspection Profile as the profile type, skip to Step 11.

      tls-decryption-options.png
       
      Field Description
      Transport Layer Security (TLS) Version Support (Group of Fields)  
      • Minimum and maximum version of TLS that is supported

      Use the slider to select the minimum and maximum TLS version that is supported. If you select a version that is not TLS 1.3, select one or both key exchange algorithms for the SSL connection.
      • Key Exchange Algorithms

      If you selected a version that is not TLS 1.3, select one or both key exchange algorithms:

      • ECDHE—Elliptic-Curve Diffie-Hellman Key Exchange
      • RSA—Rivest-Shamir-Adleman algorithm.
      Advanced Settings (Group of Fields) Click to configure algorithms and TLS cipher suites.
      • Encryption Algorithms
      		 Select which encryption algorithms to use. The encryption algorithms that you choose determine which authentication algorithms are available. 
      • Authentication Algorithms

      Select which authentication algorithms to use. 
      • TLS Cipher Suites
      		 Displays the TLS cipher suites selected depending on the algorithms.
  10. Click Next. The workflow step for Permissions displays. 
  11. The permission for each role is selected by default, and you can update it. To change permissions for a role, select or deselect the Create, Read, Update, and Delete fields for the role.

    permissions.png
  12. Click Next. The workflow step for Review and Submit displays.
  13. In the General section, enter a name for the TLS decryption profile. You can also enter a description and tags. A tag is an alphanumeric descriptor, with no white spaces or special characters, that you can use to search the objects.

    review-general.png
  14. To enable logging, click the Logging Disabled toggle, and then select a logging profile that indicates where to forward the logs. 
    • Use Default—Click to use the default logging profile.
    • Custom—Click to use a custom logging profile, and then select a profile in the drop-down list. To create a custom profile, select + Create New.

      logging-enabled.png
  15. For all other sections, review the information. If you need to make changes, click the edit-icon-blue-on-white.png Edit icon.
  16. Click Submit to create the TLS decryption profile.

Attach TLS Decryption Policies to a Main Template

To attach TLS decryption policies to an existing main template:

  1. Go to Configure > SD-WAN > Main Templates.
    The screen displays the configured main templates.
  2. Select the main template for which you want to attach the TLS decryption policy.
  3. Scroll down to the Security section, and then click the edit-icon-blue-on-white.png Edit icon. The screen displays workflow step 7, Security.
  4.  Click the TLS Decryption tab, and then click Add Existing TLS Decryption Policy. 

    edit-main-template-exisitng-tls-decryption-policy.png
  5. Select one or more policies to add to this main template. You can view or remove the selected policies in the right panel.

    tls-decryption-add-existing-to-main-template.png
  6. Click Submit.
  7. Click Skip to review or select step 13, Review & Submit.
  8. Review the information. If you need to make changes, click the edit-icon-blue-on-white.png Edit icon.
  9. Click Submit.

Manage SD-WAN TLS Decryption Policies 

You can perform the following actions on SD-WAN TLS Decryption policies:

  • Edit
  • Clone
  • Delete
  • View references
  • Propagate
  • Compare versions
  • View the audit log
  • Enable and disable auto delete

For information about these actions, see Manage SD-WAN Policies and Profiles.

Supported Software Information

Releases 13.1.1 and later support all content described in this article.