Configure SD-WAN TLS Decryption in Concerto
For supported software information, click here.
Transport Layer Security (TLS) is a widely-adopted security protocol that provides privacy and data security for communications over the internet. A primary use case for TLS is encrypting the communications between web applications and servers, such as web browsers loading a website. TLS can also be used to encrypt other communications, such as email, messaging, and voice over IP (VoIP).
TLS decryption uses two mechanisms to secure traffic:
- Handshake protocol—Authenticates the client and server devices at both ends of a secure communications channel, negotiates cryptographic modes and parameters, and establishes shared keying material to negotiate the security parameters of a connection. The handshake protocol then sends messages to the TLS record protocol.
- Record protocol—Takes transmitted messages from the handshake protocol, fragments the data into manageable blocks, protects the records, and transmits the result. The data received is verified, decrypted, reassembled, and then delivered to higher-level clients.
To configure SD-WAN TLS decryption, you create TLS decryption policies and profiles. Decryption enforces security policies on encrypted traffic to help prevent malicious content from entering the network and to protect sensitive data disguised as encrypted traffic from leaving the network. You can configure a decryption profile with SSL inspection and policy enforcement information. The following sections describe the procedures to configure the decryption policies and profiles.
Configure SD-WAN TLS Decryption Policies
To configure SD-WAN TLS decryption policies:
- Go to Configure > Profile Elements > Policies > Security > TLS Decryption > TLS Decryption Policy.
The following screen displays.
- Click + Add. The Add Decryption Policy screen displays.
- In Step 1, Decryption Rules, click the
Add icon. The Add TLS Decryption Policy Rule screen displays. In Step 1, Decryption Enforcement, to select the type of policy to create, enter information for the following fields.
Field Description Decrypt and Inspect the Traffic (Group of Fields) Select to decrypt and inspect all traffic. Decryption enforces security policies on encrypted traffic to help prevent malicious content from entering the network and to protect sensitive data disguised as encrypted traffic from leaving the network. - Use the following decryption profile
Select a TLS decryption profile to use in the rule. To create a TLS decryption profile, see Configure SD-WAN TLS Decryption Profiles. - URL Filtering Action Override
Select a URL-filtering profile to bypass the decryption action in the URL-filtering profile. Do Not Decrypt (Group of Fields) Select to bypass decryption of the traffic. Selecting the Do Not Decrypt option does not decrypt and enforce security rules on traffic because the traffic remains encrypted. This option should be used on sites, applications, or services you need for your organization. - Do not decrypt but do inspect the traffic
Do not decrypt the traffic but inspect the traffic to identify, classify, and inspect the traffic for threats. Select a profile from the drop-down list. - Do not decrypt and do not inspect the traffic
Click to allow traffic from certain trusted sites to pass without being inspected.
- Click Next to go to Step 2, URL Categories and Reputations. By default, all URL categories and reputations are included in the match criteria. To specify the URL categories and reputations to which the rule applies, enter the following information.
- Select one or more URL categories in the URL Categories field to specify the URL categories to which the rule applies.
- Select one or more reputations in the Reputations field to specify the reputations to which the rule applies.
- Click Next to go to Step 3, Users & Groups. The User Groups tab displays a list of existing user groups, if any. By default, all users and groups are included. You can specify the specific users or groups to be included.
- On the User Groups tab, select one or more existing user groups, or click + Add New User Group to add a new user group.
- If you click + Add New User Group, the following popup window displays.
- Enter a user group name and a distinguished name (DN).
- Click Add.
- If you click + Add New User Group, the following popup window displays.
- Select the Users tab.
- Select one or more existing users, or click + Add New User to add a new user.
- If you click + Add New User, the following popup window displays.
- Enter a user name and a work email address.
- Click Add.
- If you click + Add New User, the following popup window displays.
- Click Next to go to Step 4, Source & Destination Traffic. The following screen displays. By default, all source and destination traffic is included. You can specify which source and destination traffic to include.
- To customize the source traffic, on the Source Address tab, use one of the following methods:
- To specify source addresses to include in the match criteria, continue with Step 11.
- To specify source addresses to exclude from the match criteria, select Negate Source Address to match all source addresses except the source addresses that you specify, and then continue with Step 11.
- On the Source Address tab, to specify a source address to include or exclude in the match criteria, you can select a source address from the list or use the search box to find a source address.. You can click + Add Variable to create a variable for the source address. Enter a name for the variable, click the
Plus icon, then click Add. You can add multiple variables before clicking the Add button.
You can also enter for the fields IP Address or IP Range, IP Subnet, or IP Wildcard as part of the match criteria. You can click + Add Variable to create variables for these values, and you can add multiple variables for each one.- To add a variable for the IP address or IP range, select IPv4 Address, IPv4 Range, or IPv6 Address from the drop-down list, click the
Plus icon, the click Add.
- To add a variable for the IP subnet, select IP Subnet or IPv6 Subnet from the drop-down list, click the
Plus icon, the click Add.
- To add a variable for the IP wildcard, enter a name for the variable, click the
Plus icon, then click Add.
- To add a variable for the IP address or IP range, select IPv4 Address, IPv4 Range, or IPv6 Address from the drop-down list, click the
- Click the Destination Address tab.
- To customize the destination traffic, use one of the following methods:
- To specify destination addresses to include in the match criteria, continue to Step 14 to select addresses.
- To specify destination addresses to exclude from the match criteria, select Negate Destination Address to match all destination addresses except the addresses that you specify, and then continue to Step 14 to select addresses.
- To specify a destination address to include or exclude in the match criteria, you can select a destination address from the list or use the search box to find a destination address. To create a variable for the destination address, click + Add Variable to the right of the destination address list. You can also enter values for the fields IP Address or IP range, IP Subnet, or IP Wildcard as part of the match criteria. To create variables for these values, click + Add Variable for that field. For more information on adding variables, see step 11.
- Select the Source Zone and Sites tab, and then enter information for the following fields.
Field Description Source Zones Click the down arrow, and then select one or more zones. To create a variable for the source zone, click
Add Variable.
Source Sites Click the down arrow, and then select one or more sites. To create a variable for the source zone, click
Add Variable.
- Select the Destination Zone and Sites tab, and then enter the information for the destination zone and destination site. The fields are the same as for the Source Zone and Sites shown above.
- Click Next to go to Step 5, Service & Differentiated Services Code Point (DSCP). By default, all services, service groups, and DSCP's are included in the match criteria.
- To specify the services to include, do one or both of the following:
- In the search box under Services, enter the service name.
- Click All Services and one of the following categories to filter using the drop-down list:
- Predefined
- User Defined
- Select the Service Groups tab, then select the user-defined or predefined service groups to which to apply security access control rules. Click the
Toggle Row Expand icon next to the service group name to view the details for each service group.
- Select one or more service groups to add to the rule. The service groups are added to the Services list.
- Select the DSCP tab. All DSCP decimal values are included by default. You can specify which DSCP decimal values to include. The range is from 0 through 63.
- Click Next to go to Step 6, Permissions. To revise the permissions for a role, select Edit, Hide, or Read in the Permissions column.
- Click Next to go to Step 7, Review & Submit, and enter information for the following fields.
Field Description General (Group of Fields) - Name
Enter a name or the rule. - Description
(Optional) Enter a description for the rule. - Tags
(Optional) Enter one or more tags. A tag is an alphanumeric text descriptor with no spaces or special characters. You can specify multiple tags for the same object. The tags are used for searching the objects. - Schedule
Select a schedule to set the time and frequency at which the rule is in effect. - Rule Enabled
Click to disable the rule once it is saved. By default, the rule is enabled. - Logging Disabled
Click to the slider bar to enable logging for the rule. By default, logging is disabled. - Review the selected settings. Click the
Edit icon to change a setting, if needed.
- Click Save to save the rule. The Add TLS Decryption Policy screen displays with the new rule listed.
- Click Next to go to Step 2, Permissions.
- To revise the permissions for a role, select Edit, Hide, or Read in the Permissions column.
- Click Next to go to Step 3, Review & Submit, then enter the following information.
Field Description General (Group of Fields) - Name
Enter a name or the rule. - Description
(Optional) Enter a description for the rule. - Tags
(Optional) Enter one or more tags. A tag is an alphanumeric text descriptor with no spaces or special characters. You can specify multiple tags for the same object. The tags are used for searching the objects. - Review the selected settings. Click the
Edit icon to change a setting, as needed.
- Click Save to save the new TLS policy.
Configure SD-WAN TLS Decryption Profiles
You can configure two types of SD-WAN TLS decryption profiles:
- Decryption Profile—Applies both decryption and inspection protocols that you can associate with decryption rules.
- Inspection Profile—Applies only inspection protocols that you can associate with decryption rules.
To configure SD-WAN TLS decryption profiles:
- Go to Configure > Profile Elements > Policies > Security > TLS Decryption > TLS Decryption Profile.
The following screen displays with Decryption Profile selected by default.
- Select the type of decryption profile to configure. The options are:
- Decryption Profile
- Inspection Profile
Note: If you select Inspection Profile, go to Step 7 below. The workflow steps for an inspection profile do not include the Certification Setup or Decryption Profile steps.
- Click Next to go to Step 2, Certificate Setup (for a decryption profile only).
- Select a previously-uploaded certificate from the drop-down list. The certificate information displays. Click the
Download icon to download the certificate.
- Click + Add New to upload a new CA certificate. In the Add CA Certificate popup window, enter information for the following fields.
Note: The file to be uploaded must be in .zip format. The .zip file must consist of two files: a key file and a certificate file. The key file must have a .key extension. There is no restriction on the extension of the certificate file.
Field Description Certificate Name (Required) Enter a name for the certificate. CA-Chain Name (Required) Select a CA chain. Pass-Phrase Enter a pass phrase of 1 through 15 characters. Upload File Click to upload the .zip file. - Click Add to add the CA certificate.
- Click Next to go to Step 3, Inspection Options, then enter information for the following fields. Note that if you are configuring an Inspection Profile, this step is Step 2, Inspection Options.
TLS inspection is the process of intercepting and reviewing SSL or TLS encrypted internet communication between the client and the server. The inspection of SSL or TLS encrypted traffic has become critically important because the vast majority of internet traffic is SSL or TLS encrypted, including malicious traffic.
Field Description Transport Layer Security (TLS) Version Support Use the slider to select the minimum and maximum TLS version that is supported. If you select a version that is not TLS 1.3, select one or both key exchange algorithms for the SSL connection. Certificate Validation (Group of Fields) - Verify with OCSP
Select to use the Online Certificate Status Protocol (OCSP) to verify a server certificate. - Block Unknown Certificates
Select to block SSL sessions whose certificate status is unknown. - Response timeout (seconds) for an OCSP request
Enter how long, in seconds, before an OCSP request times out.
Default: 5 seconds
Range: 1 to 255 seconds
Server Certificate Actions (Group of Fields) - When the certificate expires, do the following:
Select a predefined or user-defined (if any) action to take when the certificate expires. The predefined actions are:
- Alert
- Allow
- Drop Packet
- Drop Session
- Reject
- When the certificate is received from an untrusted issuer, do the following
Section an action to take when a certificate is received from an untrusted issuer. The predefined actions are:
- Alert
- Allow
- Drop Packet
- Drop Session
- Reject
- Restrict Certificate Extension
Click to choose whether to restrict the certificate key usage extensions to either digital signature or key encipherment. SSL or TLS Protocol Checks (Group of Fields) - When the negotiated SSL or TLS protocol between the client and server uses an unsupported key length, do the following:
Select a predefined or user-defined action to take when SSL or TLS between the client and server uses an unsupported key length.
The predefined actions are:
- Alert
- Allow
- Drop Packet
- Drop Session
- Reject
- Minimum Supported RSA Key Length
Enter the minimum supported RSA key length, in bits.
Default: 1024 bit
Range: 512 bits or longer
- When the negotiated SSL or TLS protocol between the client and server uses an unsupported cipher, do the following:
Select a predefined or user-defined action to take when SSL or TLS between the client and server uses an unsupported cipher.
The predefined actions are:
- Alert
- Allow
- Drop Packet
- Drop Session
- Reject
- When the negotiated SSL or TLS protocol between the client and server uses an unsupported protocol version, do the following:
Select a predefined or user-defined action to take when SSL or TLS between the client and server uses an unsupported protocol version.
The predefined actions are:
- Alert
- Allow
- Drop Packet
- Drop Session
- Reject
- Click Next. If you selected Decryption Profile as the profile type, the Step 4, Decryption Options screen displays. Enter information for the following fields.
If you selected Inspection Profile as the profile type, the Decryption Options screen is not visible. Continue to Step 9.
Field Description Transport Layer Security (TLS) Version Support (Group of Fields) - Minimum and maximum version of TLS that is supported
Use the slider to select the minimum and maximum TLS version that is supported. If you select a version that is not TLS 1.3, select one or both key exchange algorithms for the SSL connection.
- Key Exchange Algorithms
If you selected a version that is not TLS 1.3, select one or both key exchange algorithms:
- ECDHE—Elliptic-Curve Diffie-Hellman Key Exchange
- RSA—Rivest-Shamir-Adleman algorithm.
Advanced Click to configure algorithms and TLS cipher suites. Algorithms Select which encryption and authentication algorithms to use. The encryption algorithms that you choose determine which authentication algorithms are available. TLS Cipher Suites Displays the TLS cipher suites selected depending on the algorithms. - Click Next to go to the Permissions screen.
- You can change the permissions for the roles listed, or you can click Next to go to the Review & Submit screen.
- To change any of the information, click the
Edit icon in the section and then make the required changes.
- Click Save to save the new TLS decryption profile.
After you create a TLS decryption profile, you can attach it to a TLS policy rule. See Step 3 in Configure SD-WAN TLS Decryption Policies.
Attach TLS Decryption Profiles and Policies to a Basic Master Profile
To attach TLS decryption profiles and policies to a basic master profile:
- Go to Profiles > Master Profiles > Basic.
The screen displays the configured basic master profiles.
- Click the master profile to which you will add the TLS decryption policy or rule. The Edit Master Profile screen displays.
- Click Profile > Security in the menu bar. The following screen displays.
- To attach a TLS decryption policy to the basic master profile, select the Policies tab and then click +Policy. The following pop-up window displays.
- Click the down arrow and select TLS Decryption Policy, then click Choose Existing. The Choose Policies screen displays.
- Select a TLS decryption policy from the list (aqw.v1 in the example above), then click Add.
- To attach a TLS decryption profile to the basic master profile, select the Profile tab in the Edit Master Profile > Profiles > Security screen.
- Click +Policy. The following pop-up window displays.
- Click the down arrow and select TLS Decryption Profile, then click Choose Existing. The Choose Policies screen displays.
- Select the new TLS decryption profile from the list (ins.v1 in the example above), then click Add.
Attach TLS Decryption Profiles and Policies to a Standard Master Profile
To attach TLS decryption profiles and policies to a standard master profile:
- Go to Profiles > Master Profiles > Standard.
The screen displays the configured standard master profiles. Note that you can have only one instance of each profile type for each standard master profile. If a standard master profile already has a security profile attached to it, you cannot add another security profile. You can, however, create a new standard master profile and attach a TLS decryption profile to it.
- Click the standard master profile to which you will add the security TLS decryption policy or rule. The Edit Master Profile screen displays.
- Click Sub Profiles in the menu bar. The following screen displays.
- Click +Profile. The following pop-up window displays.
- Click the down arrow and select Security, then click Choose Existing. The Choose SubProfiles screen displays.
- Select the new TLS decryption profile under Security (TLSProf.v1 in the example above), then click Add.
Supported Software Information
Releases 12.1.1 and later support all content described in this article.