Skip to main content
Versa Networks

Configure Security

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

This article describes how you can configure firewall policies, secure traffic flow based on URL, set antivirus strength, tune the intrusion prevention system (IPS), and TLS decryption from the Security tab. You can customize security settings before or after you activate the device. TLS decryption is supported only when you enable advanced security settings. That is, you must enable firewall, security profile, antivirus, and intrusion prevention system to configure TLS decryption.

Configure Security Settings

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the device in the honeycomb and click Configure to open the site information window.
  3. Click Next to open the Configuration > Network screen.
  4. Click the Security tab.

    security-home.png
     
  5. Click Security Policy to open the Security settings screen.

    security-policy-file-filter1.png

You customize the following settings on the Configure > Security screen:

  • Firewall Policies—Set firewall rules
  • Security Profile Definition—Categorize URLs, configure reputation, antivirus, and intrusion prevention

Manage Firewall Policies

The Titan portal is preconfigured with default firewall rules. You cannot modify the default rules, but you can add new rules. When you create a rule for port-forwarding and IPsec route-based profiles, by default, Titan Portal creates a security rule that allows NAT and IPsec traffic, and the rule is displayed in the security rule list. For port forwarding, the security rule has a name in the format port_forwarding_rule_name_frd, and for an IPsec profile, the rule name is the same as the IPsec route-based profile name. You cannot edit or delete a system-generated default rule for port forwarding or for an IPsec profile. However, you can disable or reorder a default rule to change its priority.

To configure firewall settings:

  1. In the Firewall Policies section, click Firewall Rules to open the Configuration > Security > Firewall Rules screen.

    security-policy-firewall-rules.png

    Each rule displays a numbered circle indicating its position in the rule set. The circle color indicates whether a rule denies (red) or allows (green) traffic, or whether it applies one of the profiles listed in the Security Profile Definition section (purple). By default, the rules are displayed in grid view. To change the view to list, click the list view icon. To pin the view to grid or list for the login session, use the pin icon.
  2. If needed, click Reorder Rules to enter rule reorder mode.
    1. To change a rule order, click the colored circle and drag the rule to a different spot in the rule set. The rule numbers are updated automatically.
    2. Click Publish Reordered Rules to save the changes to the Titan cloud.
  3. If needed, click + Rule to add a firewall rule.

    security-policy-firewall-rules-add.png
     
  4. Enter information for the following fields.
     
    Field Description
    Rule Name Enter a name for the rule, and then slide the toggle to enable the rule.
    Description Enter a text description for the rule. It can be a maximum of 63 characters.
    Match Criteria

    Select the Protocol, Address, Hostname, Application, URL, DSCP, or User and Group tab to add information about that criteria type. For more information, see Apply Match Criteria for Firewall Rules, below.
    Scope (Group of Fields)  
    • Source Zone

    Click the down arrow in the Please Select field. A popup window displays the configured interfaces and tunnels. Choose a source zone, and then click Continue. To create a tunnel, see Configure IPsec VPN Settings.

    security-policy-firewall-rules-source-zone.png
    • Arrow

    Choose the type of connection:

    • Portal_one_way_arrow.png One-way
    • Portal_two_way_arrow.png Two-way
    • Destination Zone

    Click the down arrow in the Please Select field. A popup window displays the configured interfaces and tunnels. Choose a destination zone, and then click Continue. To create a tunnel, see Configure IPsec VPN Settings.

    security-policy-firewall-rules-destination-zone.png
    Action

    Choose the Deny, Allow, or Apply Security Profile action. When you click Apply Security Profile, a popup window displays.

    firewall-rules-action-secuirty-profile.png

    Choose a level of security for each of the following:

    • URLs
    • Antivirus
    • IPS
    • IP Filter
    • File Filter

    The security level can be Low, Standard, or Advanced. For IP filter and file filter, IP filter and file filter profiles.
    Logging

    Configure log settings:

    • None—Click to perform no logging.
    • Default—Click to use default logging.
    • Custom—Click to configure logging to a customer log server. Based on the rule match, the device may sent a large number of log messages.
       

      security-policy-firewall-rules-logging-custom.png

      • Please Select—If you select Custom, click the down arrow to select a log profile.

      • Event—Select an option to log the data.

        • Start—Log data at the start of each session.

        • End—Log data at the end of each session.

        • Both—Log data at the start and end of each session.

        • Never—Never log data.

    To create a new custom flow logs profile, click icon-log-server.png. For more information, see Add Custom Logs Profile.
  5. Click Add to save the changes. The new rule appears on the Firewall Rules screen.
  6. Click Publish to save all firewall policies.

Click X in the icon to remove a rule, then click Publish.

Click the following on the Security > Firewall Rules: New Rules screen to view default firewall rules:

  • Allow_From_SDWAN
  • Allow_To_SDWAN
  • Default_Security_Rule
  • Default_security_wifi (if the device supports WiFi)

Note that you cannot edit a default rule.

security-policy-firewall-rules-default-rule.png

The following video describes how to manage next-generation firewall policies.

Create a Firewall Rule for SASE Gateway

To create a firewall rule for Secure Access Service Edge (SASE) gateway:

  1. In the Firewall Policies section, click Firewall Rules to open the Configuration > Security > Firewall Rules screen.

    security-policy-firewall-rules.png

    Each rule displays a numbered circle indicating its position in the rule set. The color of the circle indicates whether a rule denies traffic (red), allows traffic (green), or whether a rule applies one of the profiles listed in the Security Profile Definition section (purple). By default, the rules are displayed in grid view. To change the view to list, click the list view icon. To pin the view to grid or list for the login session, use the pin icon.
  2. If needed, click Reorder Rules to enter rule reorder mode.
    1. To change a rule order, click the colored circle and drag the rule to a different spot in the rule set. The rule numbers are updated automatically.
    2. Click Publish Reordered Rules to save the changes to the Titan cloud.
  3. Click +Rule to add a new firewall rule, and then enter information for the following fields.

    security-policy-firewall-rules-sase-add.png
     
    Field Description
    Rule Name Enter a name for the rule, and then slide the toggle to enable the rule.
    Description Enter a text description for the rule. It can be a maximum of 63 characters.
    Match Criteria Click Protocol, Address, Hostname, Application, URL, DSCP, or User and Group to add details for that criteria type. For more information, see Apply Match Criteria for Firewall Rules, below.
     

    Click the down arrow in the Please Select list to select the protocol.

     

    security-policy-firewall-rules-add-protocol.png
    Scope (Group of Fields)  
    • Source Zone

    Click the down arrow in the Please Select list. A popup window displays the zones that classify the traffic flows coming to the gateway from various sources.

    Select a source zone, and then click Continue.

    security-policy-firewall-rules-source-zone-sase.png

    • Host—Click to match the traffic that originates from device itself (that is, non-transient traffic).
    • Remote Client—Click to use as the ingress zone for the traffic coming from VSA clients.
    • SD-WAN—Click for traffic coming to the gateway over overlay tunnels from remote SD-WAN branches.
    • Trust (LAN)—Click to use LAN interfaces that are controlled by enterprises.
    • Untrust (Internet)—Click to use for internet-facing WAN interfaces.
    • Arrow

    Choose a Portal_one_way_arrow.png one-way or Portal_two_way_arrow.png two-way connection.
    • Destination Zone

    Click the down arrow in the Please Select list. A popup window displays the zones that classify the traffic flows coming to the gateway from various sources.

    Select a destination zone, and then click Continue.
     

    security-policy-firewall-rules-destination-zone-sase.png

    • Host—Click to match the traffic that originates from device itself (that is, non-transient traffic).
    • Remote Client—Click to use as the egress zone for the traffic coming from VSA clients.
    • SD-WAN—Click for traffic coming to the gateway over overlay tunnels from remote SD-WAN branches.
    • Trust (LAN)—Click to use LAN interfaces that are controlled by enterprises.
    • Untrust (Internet)—Click to use for internet-facing WAN interfaces.
    Action

    Choose Deny, Allow, or Apply Security Profile.

    When you click Apply Security Profile, a popup window displays.

    firewall-rules-action-secuirty-profile.png

    Choose a level of security for each of the following:

    • URLs
    • Antivirus
    • IPS
    • IP Filter
    • File Filter

    The security level can be Low, Standard, or Advanced. For IP filter and file filter, IP filter and file filter profiles.
    Logging

    Click to configure logging:

    • None—Click to perform no logging.
    • Default—Click to use default logging.
    • Custom—Click to configure logging to a customer log server. Based on the rule match, the device may sent a large number of log messages.

      security-policy-firewall-rules-logging-custom.png
      • Please Select—If you select Custom, click the down arrow to select a log profile.
      • Event—Select an option to log the data.

        • Start—Log data at the start of each session.

        • End—Log data at the end of each session.

        • Both—Log data at the start and end of each session.

        • Never—Never log data.

    To create a new custom flow logs profile, click icon-log-server.png. For more information, see Add Custom Logs Profile.
  4. Click Add to save the changes. The new rule appears in the Firewall Rules screen.
  5. Click Publish to save all firewall policies.

Click X in the icon to remove a rule, and then click Publish.

Default Firewall Rules for SASE Gateways

Titan Portal is preconfigured with default firewall rules for SASE gateways. You cannot edit or delete a system-generated default rule. However, you can disable a default rule and reorder a default rule to change its priority. You can also add a new rule.

When you upgrade a SASE gateway license, new default rules are not created, and the default rules present in the previous version are not deleted.

If you use Easy Quick Picks with the SASE gateway default security rule, the default security rules are lost.

The following are system-generated default firewall rule for SASE gateway, which you view by clicking Security > Security Policy > Firewall Rules:

  • Allow From Hostbound On LAN
  • Allow From SD-WAN
  • Allow To SD-WAN
  • Allow VSA Authentication
  • Default Security Rule
  • Default Security WiFi (for devices that support WiFi)
  • Deny Remote Users To SD-WAN
  • Remote User To Internet Block
  • SWG (secure web gateway) Rule
  • VSA (Versa secure access) Rule
  • VSA SWG Rule

For provider organizations, Titan Portal creates the default firewall rule Allow VSA Authentication to allow captive portal traffic.

security-policy-firewall-rules-sase-default-rules.png

For a tenant user, the following default firewall rules are provided depending on the license type:

License Type Default Rule Name Description

SWG Essential

 Deny Remote Users To SD-WAN Block remote client from accessing an SD-WAN.
SWG Rule

Allow remote client and SD-WAN to access untrusted internet sites.
SWG Professional Deny Remote Users To SD-WAN

Block remote client from accessing SD-WAN traffic.
SWG Rule Allow remote client and SD-WAN to access untrusted internet sites.
VSA Essential Allow From Hostbound On LAN Allow LDAP traffic to access an SD-WAN. This rule is created if you purchase VSA with Active Directory as the authentication method.
Remote User To Internet Block

Block remote client from accessing the internet.
VSA Rule

Allow remote client to access SD-WAN traffic.
VSA Professional Allow From Hostbound On LAN Allow LDAP traffic to an SD-WAN. This rule is created if you purchase VSA with Active Directory as the authentication method.
VSA Rule

Allow remote client to access an SD-WAN and untrusted traffic.
SWG and VSA Essential Allow From Hostbound On LAN

Allow LDAP traffic to access an SD-WAN. This rule is created if you purchase VSA with Active Directory as the authentication method.
VSA SWG Rule Allow remote client and SD-WAN traffic to access an SD-WAN and untrusted traffic.
SWG and VSA Professional

Allow From Hostbound On LAN

 

Allow LDAP traffic to access an SD-WAN. This rule is created if you purchase VSA with Active Directory as the authentication method.
VSA SWG Rule Allow remote client and SD-WAN traffic to access SD-WAN and untrusted traffic.

Apply Match Criteria for Firewall Rules

You can apply the following match criteria types in a security rule:

  • Address
  • Application
  • DSCP
  • Hostname
  • Protocol
  • URL
  • User and Group

security-policy-firewall-rules-match-criteria.png

To specify the match criteria for a security rule:

  1. To specify protocol criteria for a security rule:
    1. Select the Protocol tab to display the protocol window.

      security-policy-firewall-rules-match-criteria-protocol.png
    2. In the Please Select field, select a protocol. Titan Portal automatically populates the next field with common port numbers.
    3. If needed, click the port number field and edit the port number range.
  2. To specify address criteria for a security rule:
    1. Select the Address tab to display the address window.

      security-policy-firewall-rules-match-criteria-address.png
    2. Click the toggle switch to enter the source or destination IP address. Then click Source.

      security-policy-firewall-rules-match-criteria-address1.png
    3. Enter a source IP address in CIDR format, and then click the icon-plus.png icon. To remove an IP address from the list, click the icon-minus.png icon.

      portal_security_add_firewall_rules_match_criteria_address_source.png
    4. Click Continue
    5. Enter a destination IP address in CIDR format, and then click the icon-plus.png icon. To remove an IP address from the list, click the icon-minus.png icon.

      portal_security_add_firewall_rules_match_criteria_address_destination.png
    6. Click Continue
  3. To specify hostname criteria for a security rule:
    1. Select the Hostname tab to display the Hostname window.

      security-policy-firewall-rules-match-criteria-hostname.png
    2. Click the toggle switch to enter the source or destination hostname. Then click Source.

      security-policy-firewall-rules-match-criteria-hostname1.png
    3. Enter a source hostname, and then click the icon-plus.png icon. To remove a hostname from the list, click the icon-minus.png icon.

      portal_security_add_firewall_rules_match_criteria_hostname_source.png
    4. Click Continue
    5. Enter a destination hostname, and then click the icon-plus.png icon. To remove a hostname from the list, click the icon-minus.png icon.

      portal_security_add_firewall_rules_match_criteria_hostname_destination.png
    6. Click Continue.
  4. To specify application and application groups criteria for a security rule:
    1. Select the Application tab, and then click Click Here To Add or Modify Applications.

      security-policy-firewall-rules-match-criteria-application.png
    2. The Firewall Rules > Add Application popup window displays. Select the Applications tab, then select the application to include in the match list, or type the name of the application in the search box and then select it from the search results. Then, click Add.

      match-criteria-add-application-tab.png
      • Click + Custom Applications to create a new custom application object. For more information, see Add Custom Applications.
    3. Select the Application Groups tab, and then select predefined application groups to include in the match list, or type the name of the application group in the search box and then select it from the search results. Then, click Add.

      match-criteria-add-application-group-tab.png
  5. To specify URL criteria for a security rule:
    1. Select the URL tab to display the URL window.

      security-policy-firewall-rules-match-criteria-url.png
    2. In the URL Category section, click Click Here To Add or Modify URLs to select URL categories.

      authentication-rule-add-match-criteria-url1.png
      • To add a new custom URL category object, click the custom-url-category-icon.png icon. For more information, see Add Custom URL Categories.
      • Click the lookup-url-icon.png icon to enter a URL and to look up the mappings to predefined and custom URL reputations and categories. For more information, see Configure Look Up URL Settings.
    3. Click Add.
    4. In the URL Reputation section, click Click Here To Add or Modify to select URL reputations.

      portal_security_add_firewall_rules_match_criteria_url_reputation.png
    5. Click Continue. In the Customize option, modify the URL reputation.
  6. To specify DSCP criteria for a security rule, select the DSCP tab and then enter a DSCP value. DSCP allows you to classify and manage network traffic and to provide quality of service (QoS) in Layer 3 networks. It uses the 6-bit differentiated services code point (DSCP) field in the IP header to classify packets.

    security-policy-firewall-rules-match-criteria-dscp.png
     
  7. By default, security enforcement is applied to all users and user groups. To change these settings, select the User and Group tab and do the following:

    security-policy-firewall-rules-match-criteria-user-group.png
    1. Select a user to bind with the security policy:
      • Any
      • Known
      • Selected
      • Unknown
    2. To select specific user and group, click Selected and do the following:
      1. Select an LDAP user group profile in the Select LDAP list.
      2. Use the search box to search for the user and group, or click the checkbox next to the user and group name.

        select-user-group-profile.png
    3. Click Add.

To edit or delete a rule:

  1. In the Security > Rules tab, click a rule name to edit a rule.
  2. In the Security > Rules tab, click the X to delete a rule.
  3. Click Save to save the changes to the Titan cloud.

Configure Look Up URL Settings

  1. In the Configuration > Security Policy > Firewall Rules > Add Rules screen, select the URL tab in the Match Criteria section.
  2. In the URL Category section, click Click Here To Add or Modify URLs to select URL categories, and then click Look Up URL.

    lookup-url.png
  3. In the Look Up URL search bar, enter a URL to look up the mappings to predefined or custom URL reputation and category. For example, enter www.google.com. The Look Up URL Result section displays information about the URL, including its category and reputation.

    lookup-url1.png
  4. Click Clear to clear the look up URL result.
  5. Click Back to return to the Add Rules screen.

Manage Security Profile Definitions

Security profile definitions contain three components:

  • Antivirus settings
  • Intrusion Prevention System (IPS) settings
  • URL settings, including a deny URL and allow URL

You can manage individual components from the Security screen. You can enable or disable all components with one click from the Inventory menu. See Manage Device License Inventory.

To manage the security profile components:

  1. From the Configuration > Security tab, click the Security Policy to open the Security settings screen.

    security-policy-file-filter1.png
     
  2. Slide the toggle to turn individual security components on or off.

Configure a URL Deny List

Add websites to be blocked on the network so that users cannot access the sites. Add multiple websites by separating them with a comma.

To add URLs to a deny list:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the device in the honeycomb and click Configure to open the site information window.
  3. Click Next to open the Configuration > Network screen.
  4. Click the Security tab.
  5. In the Security Profile Definition section, click Deny URLs to open the Configuration > Security > Deny URLs screen.

    portal_security_config_security_blacklist.png
     
  6. Enter a single URL or enter multiple URLs separated by a comma.
  7. Click + Add URL to add URLs to the Deny URL list.
  8. Click Publish to save the settings.

To delete URLs from the list, click the X next to the URL.

Configure a URL Accept List

Add websites allowed on the network, even if blocked by other settings. Add multiple websites by separating them with a comma.

To add URLs to the accept list:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the device in the honeycomb and click Configure to open the site information window.
  3. Click Next to open the Configuration > Network screen.
  4. Click the Security tab.
    1. In the Security Profile Definition section, click Allow URLs to open the Configuration > Security > Allow URLs screen.

      portal_security_config_security_whitelist.png
       
  5. Enter a single URL or enter multiple URLs separated by a comma.
  6. Click + Add URL to add URLs to the Allow URLs list.
  7. Click Publish to save the settings.

To delete URLs from the list, click the X next to the URL.

Configure URL Categories

To set a category filter for types of URLs to allow or block:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the device in the honeycomb and click Configure to open the site information window.
  3. Click Next to open the Configuration > Network screen.
  4. Click the Security tab.
  5. Click a Category level to open the configuration screen for that level:
    • Low
    • Standard
    • Advanced

      portal_security_config_security_category-low.png
      • To add a new custom URL category object, click the custom-url-category-icon.png icon. For more information, see Add Custom URL Categories.
      • Click the lookup-url-icon.png icon to enter a URL and to look up the mappings to predefined and custom URL reputations and categories. For more information, see Configure Look Up URL Settings.
  6. Click to select the categories to Block or Alert & Confirm.
  7. Click Publish to save the settings.

Configure IP Reputation Filtering

To set a reputation filter for types of URLs to allow or block:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the device in the honeycomb and click Configure to open the site information window.
  3. Click Next to open the Configuration > Network screen.
  4. Click the Security tab.
  5. Click a Reputation level to open the configuration screen for that level:
    • Low
    • Standard
    • Advanced

      Portal_Security_10_URLfiltering_Reputation.png
      • Click the lookup-url-icon.png icon to enter a URL and to look up the mappings to predefined and custom URL reputations and categories. For more information, see Configure Look Up URL Settings.
  6. Click to select the reputation level.
     
    Field Description

    Red

    		 Blocked
    Amber Ask
    Blue Allowed
    High-Risk IP Addresses

    IP addresses with a higher than average predictive risk for delivering attacks to infrastructure or endpoints.

    Range: 1 through 20

    Suspicious IP Addresses

    		 IP addresses with a higher than average predictive risk for delivering attacks to infrastructure or endpoints.
    Range: 21 through 40
    Moderate Risk Generally benign IP addresses that have exhibited some potential risk characteristics. There is some predictive risk that these IP addresses may deliver attacks to infrastructure or endpoints.
    Range: 41 through 60
    Low Risk Benign IP addresses that rarely exhibit some characteristics that may expose infrastructure and endpoints to security risks. There is a low predictive risk of attack.
    Range: 61 through 80
    Trustworthy Clean IP addresses that have not been tied to a security risk. There is a low predictive risk that infrastructure and endpoints may be exposed to attack.
    Range: 81 through 100
  7. Click Publish to save the settings.

Configure Antivirus Protection

To choose where to apply antivirus protection:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the device in the honeycomb and click Configure to open the site information window.
  3. Click Next to open the Configuration > Network screen.
  4. Click the Security tab.
  5. Click an Antivirus level to complete the configuration:
    • Low—Web Traffic
    • Standard—Email Attachment
    • Advanced—Web and Email Attachment
  6. Click Publish to save the settings.

Configure Intrusion Prevention System

To configure IPS:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the device in the honeycomb and click Configure to open the site information window.
  3. Click Next to open the Configuration > Network screen.
  4. Click the Security tab.
  5. Click to choose an Intrusion Detection Protection level to open the configuration screen for that level:
    • Low
    • Standard
    • Advanced

      Portal_Security_11_Intrusionprevention_config.png
       
  6. Enter information for the following fields.
     
    Field Description
    Choose Intrusion Detection Prevention Level

    Click the toggle to set attack detection level. The following values are the default settings for the selected Intrusion Detection Protection level:

    • Low—Client Protection. Loads all client-side attack detection.
    • Standard—Standard Recommended Profile. Recommended profile for adequate security and performance.
    • Advanced—All attack rules. Loads all attack signatures.
    All Anomaly Rules Load all the anomaly signatures.
    All Attack Rules Load all attack signatures. This is the default protection in the Advanced setting.
    Client Protection This profile loads all client-side attack detection.
    Database Profile Load the Oracle database server vulnerability signatures.
    ICS Profile Load the Industrial Control System (ICS) vulnerability signatures.
    Linux OS Profile Detect all attacks related to Linux OS.
    MAC OS Profile Detect all attacks related to MAC OS.
    Malware Profile Detect all antivirus attacks.
    Server Protection Detect server-side attacks.
    Standard Recommended Profile This profile is the one recommended by Versa for adequate security and performance.
    Windows OS Profile Detect attacks specific to Windows OS.
  7. Click Publish to save the settings.

Configure Geolocation IP Filtering

​Traffic passing through the network may have IP addresses that are associated with a bad reputation and that may cause security risk to your network. To block IP addresses based on IP address reputation and IP address metadata such as geolocation, you can configure IP address–filtering profiles and then associate them with security rules under apply security profile. Versa Networks provides a list of predefined regions that you can use to create IP-filtering profiles based on geolocation.

After a user creates geolocation IP-filtering profiles, you can associate the profile with any security firewall rule.

You can match the IP address based on the following match criteria:

  • Destination IP address
  • Source IP address
  • Source and destination IP address
  • Source or destination IP address

When a session's IP address matches the conditions in an IP-filtering profile, you can enforce the following actions:

  • Allow
  • Alert
  • Drop packet
  • Drop session
  • Reject

To configure a geolocation IP filter:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the device in the honeycomb and click Configure to open the site information window.
  3. Click Next to open the Configuration > Network screen.
  4. Click the Security tab and then click Security Policy.
  5. In the Security Profile Definition section, click Geo IP Filter to open the Configuration > Security > Security Policy > Geo IP Filter screen.

    geo-ip-filter.png

    To display the action color code, click the geo-ip-color-code-icon.png action color code icon.

    geo-ip-filter-action-colour.png
     
  6. Click +Profiles to add a new geolocation IP filter profile, and then enter information for the following fields.

    geo-ip-filter-add-profile.png
     
    Field Description
    Profile Name (Required) Enter a name for the geolocation IP-filtering profile.
    Profile Action

    Select an action for geolocation reputation-based IP filtering.

    • Alert —Allow the IP address, and generate an entry in the IP-filtering log.
    • Allow —Allow the IP address, and do not generate an entry in the IP-filtering log.
    • Drop packet —The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Drop session —The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Reject —Send an ICMP unreachable message back to the client and resets the connection to the server.
    Prioritize URL Reputation Click to prioritize the URL reputation over the IP reputation. When you select this option, instead of blocking the traffic in IP filtering based on reputation, traffic is further evaluated with URL filtering. The URL reputation correlates with an actual website. When you configure an IP-filtering profile that blocks traffic based on IP reputation, some legitimate websites may be blocked. When the URL reputation meets the threshold you select in the Allow URL Reputation field, prioritizing the URL reputation overrides the IP Reputation Action.
    • Allow URL Reputation (Required)

    When you use Prioritize URL Reputation, select the priority to assign to the URL reputation when traffic is evaluated:

    • High risk (Priority 4)
    • Moderate risk (Priority 3)
    • Low risk (Priority 2)
    • Suspicious (Priority 1)
    • Trustworthy (Priority 0)—Ignore a website that is labeled as one with a bad reputation, or ignore an HTTP/SSL URL reputation check that indicates a bad IP reputation.
    Geo IP Based Action (Group of Fields)  
    • Geo IP Based Action Rule

    Click the add-icon.png icon to add actions for geographical reputation-based IP filtering. You can add multiple action rules.

     

    geo-ip-filter-add-profile-file-action-rule.png
    • Name (Required)
    		 Enter a name for the geo IP-based action rule.
    • Regions (Required)

    Select the Geo IP-filtering region and then click Continue.

     

    geo-ip-filter-add-profile-file-action-rule-region.png
    • Match Type

    Select the match criteria for the IP address:

    • Match only source IP address
    • Match only destination IP address
    • Match source and destination IP address
    • Match source or destination IP address
    • Action

    Select an action for file-based action rule and click Add.

    • Alert —Allow the IP address, and generate an entry in the IP-filtering log.
    • Allow —Allow the IP address, and do not generate an entry in the IP-filtering log.
    • Drop packet —The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Drop session —The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Reject —Send an ICMP unreachable message back to the client and resets the connection to the server.
  7. Click Add.

Configure File Filtering

You can use file filtering to reduce the risk of attacks from virus and vulnerabilities that are associated with various types of files, thus decreasing an attacker's ability to attack your organization by sending unwanted or malicious files. File filtering is performed based on the file type and the hash of the file.

You can configure file filtering to block the transfer of potentially dangerous files and types of files (that is, files associated with specific applications), files of specific sizes, files associated with specific protocols, and files being sent in a particular direction. You can configure file filtering to perform reputation-based file hash lookups on a cloud server.

The file-filtering process is performed in the following sequence:

  1. Scan the early bytes of an incoming file, and identify the file type.
  2. Search the configured rules to check whether the file type, file size, protocol, and direction match one of the rules.
    1. If a match occurs, take the appropriate rule action.
    2. If no match occurs, perform a cloud lookup.
  3. Perform a cloud lookup, sending the hash of the file, to check the file's reputation.
  4. If the hash of the file is found, take the configure action. A hash can indicate that the file is clean, malicious, or suspicious.
  5. If the file matches none of these, take the default action defined in the file-filtering profile.

To configure file filtering:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the device in the honeycomb, and then click Configure to open the site information window.
  3. Click Next to open the Configuration > Network screen.
  4. Click the Security tab and then click Security Policy.
  5. In the Security Profile Definition section, click File Filters to open the Configuration > Security > Security Policy > File Filter ;screen.

    security-policy-file-filter.png
    To display the action color code, click the geo-ip-color-code-icon.png action color code icon.

    security-policy-file-filter-color-code.png
  6. Click +Profiles to add a new file-filtering profile, and then enter information for the following fields.

    security-policy-file-filter-add.png
     
    Field Description
    Profile Name (Required) Enter a name for the file-filtering profile.
    Description Enter a text description for the file-filtering profile.
    Protocol (Required)

    Select one or more protocols to filter the files:

    • FTP
    • HTTP
    • IMAP
    • MAPI
    • POP3
    • SMTP
    Default Action

    Select the default action to take on a file that enters the network. The default action is taken when a file matches no entries in a deny list, an allow list, or a cloud lookup.

    • Alert—Allow the file to pass and, if a LEF profile is configured, log the action.
    • Allow—Allow the file to pass and log the action.
    • Block—Do not allow the file to pass and, if a LEF profile is configured, log the action.
    • Reject—Reset the connection to the server and client and, if a LEF profile is configured, log the action.
    Logging

    Click to configure logging:

    • None—Click to perform no logging.
    • Default—Click to use the default logging.
    • Custom—Click to configure logging to a customer log server. Based on the rule match, the device sends many log messages.

      security-policy-file-filter-logging.png
    • Please Select—If you select Custom, click the down arrow to select a log profile. To create a new custom flow logs profile, click icon-log-server.png. For more information, see Add Custom Logs Profile.
  7. Select the File-Based Action tab to configure file-filtering rules for file properties, such as file type, file size, protocol, and direction.

    security-policy-file-filter-file-based-action-tab.png
  8. Click the add-icon.png Add icon. In the Add File-Based Actions popup window, and then enter information for the following fields.

    security-policy-file-filter-file-based-action-add.png
     
    Field Description
    Name (Required) Enter a name for the file action.
    Description Enter a text description for the file action.
    File Size

    Enter a file size, in bytes. The file filter is applied to any file larger than this size.

    Range: 0 through 4294967295 bytes

    Default: None
    File Type (Required)

    Click the Selected link to add the file type for which to apply the file filter. In the Selected File Type popup window, select the file types, and then click Continue. You can select multiple file types.
     

    security-policy-file-filter-file-based-action-file-type.png
    Protocol (Required)

    Click the Selected link to add the protocols to associate with the file transfer. In the Selected Protocol popup window, select the protocol, and then click Continue. You can select multiple protocols.
     

    security-policy-file-filter-file-based-action-protocol.png
    Direction (Required)

    Select the direction in which to apply the file filter:

    • Download
    • Upload
    • Both
    Action

    Select the default action to take on a file:

    • Alert—Allow the file to pass and, if a LEF profile is configured, log the action.
    • Allow—Allow the file to pass without logging the action.
    • Block—Do not allow the file to pass and, if a LEF profile is configured, log the action.
    • Reject—Reset the connection to the server and client and, if a LEF profile is configured, log the action.
  9. Select the Reputation-Based Action tab to configure file-filtering rules for cloud-based hash lookups, and enter information for the following fields.

    security-policy-file-filter-reputation-based-action-tab.png
     
    Field Description
    Cloud Lookup Click to enable cloud lookup of a file for its reputation and select a file filter cloud profile. To add a new file filter cloud profile, see step 9a.
    Enable Logging Click to store logs.
    Action

    Select the default action to take on a file:

    • Alert—Allow the file to pass and, if a LEF profile is configured, log the action.
    • Allow—Allow the file to pass without logging the action.
    • Block—Do not allow the file to pass and, if a LEF profile is configured, log the action.
    • Reject—Reset the connection to the server and client and, if a LEF profile is configured, log the action.
    1. To add a new file filter cloud profile, click + File Filter Cloud Profile and enter information for the following fields.

      file-filter-cloud-profile1.png
       
      Field Description
      Name (Required) Enter a name for the cloud profile.
      Description Enter a text description for the cloud profile.
      Source NAT List (Required)

      Select the SNAT pool to configure cloud lookup for file filtering. The SNAT pool is linked to a routing instance that connects to the cloud server.

      To create an SNAT pool profile, click snat-pool-icon.png and enter information for the following fields.
       

      create-snat-pool.png

      • Name (Required)—Enter a name for the SNAT pool.
      • Egress Network (Required)—Select an egress network to associate with the SNAT pool.

       

      Click Add, and then click Continue.
      Connection Pool (Required)

      Enter the number of simultaneous connections to the SSL cloud server.

      Range: 1 to 100000

      Default: None
      Timeout

      Enter the maximum timeout period to wait for a response from the SSL cloud server, in seconds.

      Range: 1 through 4294967295 seconds

      Default: 120 seconds
      Activation Click the toggle to activate the cloud lookup profile.
    2. Click Add. The cloud profile displays in the list.
  10. Click Add.

The following video describes how to manage security profile definitions.

Configure TLS Decryption

Transport Layer Security (TLS) decryption enforces security policies on encrypted traffic to prevent malicious content from entering the network and to protect sensitive data disguised as encrypted traffic from leaving the network. TLS decryption is supported only when you enable advanced firewall security settings and the professional license type. That is, you must enable a firewall, security profile, antivirus, and IPS to configure TLS decryption. This feature is available only when the device is activated and running.

The following table describes information about TLS certificate management.

Certificate Management MSP Provider Organization MSP Tenant Organization Branch or Hub Notes
System-generated TLS decryption certificate TLS decryption profile configured with default certificate. The certificate name and provider organization name are the same. TLS decryption profile configured with default certificate. The certificate name and tenant organization name are the same. TLS decryption profile configured with default certificate. The certificate name and tenant organization name are the same. System generates TLS decryption certificate with the organization name using Versa root certificate.
User-generated TLS decryption certificate User can upload their own certificate. User cannot upload their own certificate. User can upload their own certificate. Only device owner can upload their own certificate.

Prerequisites for TLS Decryption

Before you create a TLS decryption rule:

  • Create a profile for decryption. To decrypt the TLS traffic to inspect for malware, you upload the certificate and its associated private key. By default, Titan provides a unique Versa-generated certificate and associated private key for every organization that you can download and install on the customer's end devices to connect to gateways. Alternately, you can use your own private key and certificate. To upload or download a certificate, see Upload a Certificate.
  • For tenant organizations, you need to create a TLS decryption profile and rule. However, for provider organizations, default security rules are created and applied. You need to enable decryption and configure the URL category.
  • Create a firewall rule without source and destination zones. The default destination port must be 44991 and 8080. If you have configured any other ports as part of captive portal, then you have to configure those ports as the destination ports for TLS decryption.

Configure TLS Decryption Profile

To decrypt or inspect traffic properties, you create an SSL decryption profile and associate it with a decryption policy rule. The decryption profile is applied to traffic that matches the decryption rule.

You can use two types of SSL proxies with a TLS decryption profile:

  • SSL forward proxy—This is a transparent proxy that can decrypt and encrypt the SSL/TLS traffic between the client and the server. With a transparent proxy, neither the client nor the server knows about the proxy’s presence. Rather, the proxy acts as server towards the client and as a client towards the server.
    Whether to decrypt can be controlled through the decryption policy. When the client initiates an SSL/TLS handshake towards the server, the proxy applies the decryption policy to determine whether the traffic needs to be decrypted. If the policy action is to decrypt, the proxy uses the matching SSL profile to initiate the SSL handshake towards the server, and the policy inspects the server certificate and other SSL attributes from the SSL handshake stream. If the inspection is successful, the proxy completes the SSL handshake with server and generates a server certificate signed with the public key specified in the SSL proxy profile, and it resumes the SSL handshake towards the client. After the SSL handshake between the client and the proxy completes, the proxy is able to decrypt application traffic sent by the client, Once decrypted, the traffic can be examined by the other services in the firewall service chain before before it is encrypted and sent to the server.
  • SSL full proxy—This proxy works in two modes, explicit and transparent:
    • Explicit—Processes SSL/TLS traffic destined to a specific IP address and a specific port. On the client, you configure the proxy IP address and the port. The explicit SSL full proxy works as follows:
      • The client connects to the configured proxy IP address and port and sends an HTTP Connect request.
      • The SSL full proxy parses the HTTP Connect request and extracts the domain that the client wants to connect to. The proxy uses the domain and other Layer 3 and Layer 4 parameters to locate a decryption policy. If the proxy finds a decryption policy, it decrypts or bypasses the SSL connection based on the action in the policy. If there is no policy, decryption is bypassed.
      • The SSL full proxy responds with a 200 OK message. When the proxy receives a client Hello message, if the policy decision was to decrypt, the SSL proxy responds with server Hello message and the remainder of the handshake message between the client and the proxy is exchanged.
      • After the handshake completes, the client does a GET or a POST on the connection.
      • The proxy parses the HTTP request and extracts the domain name and port from the URL. The proxy then performs a DNS resolution of that domain and opens a connection towards the resolved IP address using the source IP address and port from the configured SNAT pool referenced in the HTTP proxy profile.
      • After the connection is successful, the proxy initiates the SSL handshake with the server and then forwards the HTTP request to the server.
      • All the other services in the service chain, such as PS/IDS and antivirus, examine the decrypted stream to look for any threats, and they may drop the packet based on the outcome of their examination.
    • Transparent—Processes SSL/TLS traffic destined to any IP address but to a specific port. The transparent process works the same was as the explicit process, except for the DNS resolution process. Because the destination IP address is the actual address of the server, the proxy skips DNS resolution, and DNS resolution is done on the client, and the client opens the connection to the server IP address. The proxy uses the SNAT pool configured in the HTTPS proxy profile to performs source NATing.

To configure TLS decryption profile:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the device in the honeycomb and click Configure to open the site information window.
  3. Click the Security tab, and then click Decryption.

    security-decryption.png
     
  4. Click the profile-icon.png icon in the Profiles section to create a profile for decryption.

    security-decryption-profile.png
     
  5. In the Decryption Add window, enter information for the following fields.

    security-decryption-profile-add.png
     
    Field Description
    Profile Name (Required)

    Enter a name for the decryption profile.
    SSL Type

    Select the decryption type to use with the profile:

    • SSL Forward Proxy
    • SSL Full Proxy—This proxy works in one of two modes, explicit or transparent.

      security-decryption-profile-add-ssl-full-proxy.png
      • Explicit—Click to process SSL/TLS traffic destined to a specific IP address and a specific port.
      • Transparent—Click to process SSL/TLS traffic destined to any IP address but to a specific port.
      • Match Rules—Displays the names of the configured match rules. To add a rule, click the add-rule-icon.png Add Rule icon to enter the following information in the Match Rule window.

        security-decryption-profile-add-ssl-full-proxy-match-rule.png
        • Rule Name (Required)—Enter a unique name for the rule.
        • Routing Instance—Click the Routing Instance link. In the Routing Instance popup window, select a routing instance to associate with the match rule.

          security-decryption-profile-add-ssl-full-proxy-match-rule-routing-instance.png
           
        • Destination Ports (Required)—Click the Ports link. In the Destination Ports popup window, enter the port number to explicitly or transparently decrypt traffic originating from that port.

          security-decryption-profile-add-ssl-full-proxy-match-rule-dest-port.png
           
        • Destination IP Prefix—For transparent decryption, click the Prefix link. In the Destination IP Prefix popup window, enter destination IP address prefix to match for connections.

          security-decryption-profile-add-ssl-full-proxy-match-rule-dest-prefix.png
        • Destination IP Address—For explicit decryption, click the Address link. In the Destination IP Address popup window, enter destination IP address to match for connections.
    Start TLS

    For SSL forward proxy decryption, select how to start the TLS connection:

    • IMAP
    • POP3
    • SMTP
    • User Extended Master Secret
    		 Click to use the TLS extended master secret extension, This option helps to prevent man-in-the-middle attacks.
    CA Certificate

    Click to upload a certificate and its associated private key. In the Certificate List popup window, select the certificate and then click Continue.
     

    configure-tls-decryption-add-profile-certificate.png

    If you need to upload your own certificate, you can add the key and then add the certificate for the provider organization. You cannot upload your own certificate for tenant organizations.
    TLS Inspection  
    • Restrict Certificate Extension
    		 Click to restrict certificate extensions.
    Certificate Checks (Group of Fields)  
    • Expired Certificate

    Select the action to take when the server certificate expires:

    • Alert—Allow the decrypt session and generate an entry in the SSL log.
    • Allow—Allow the decrypt session without generating an entry in the SSL log.
    • Drop packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Drop session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Reject session—The browser displays an alert and resets the connection to the server. It is not possible to determine whether this occurred because of a delayed response from the server or because a firewall blocked access to the website.
    • Untrusted Issuer

    Select the action to imply when the certificate is from an untrusted issuer:

    • Alert—Allow the decrypt session and generate an entry in the SSL log.
    • Allow—Allow the decrypt session without generating an entry in the SSL log.
    • Drop packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Drop session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Reject session—The browser displays an alert and resets the connection to the server. It is not possible to determine whether this occurred because of a delayed response from the server or because a firewall blocked access to the website.
    Mode Checks (Group of Fields)  
    • Unsupported Cipher

    Select the action to take when the decryption encounters an unsupported cipher:

    • Alert—Allow the decrypt session and generate an entry in the SSL log.
    • Allow—Allow the decrypt session without generating an entry in the SSL log.
    • Drop packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Drop session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Reject—The browser displays an alert and resets the connection to the server. It is not possible to determine whether this occurred because of a delayed response from the server or because a firewall blocked access to the website.
    • Unsupported Key Length

    Select the action to take when the decryption encounters an unsupported key length:

    • Alert—Allow the decrypt session and generate an entry in the SSL log.
    • Allow—Allow the decrypt session without generating an entry in the SSL log.
    • Drop packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Drop session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Reject—The browser displays an alert and resets the connection to the server. It is not possible to determine whether this occurred because of a delayed response from the server or because a firewall blocked access to the website.
    • Unsupported Version

    Select the action to take when the decryption encounters an unsupported CA version:

    • Alert—Allow the decrypt session and generate an entry in the SSL log.
    • Allow—Allow the decrypt session without generating an entry in the SSL log.
    • Drop packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Drop session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Reject—The browser displays an alert and resets the connection to the server. It is not possible to determine whether this occurred because of a delayed response from the server or because a firewall blocked access to the website.
    • Minimum Supported Key Length

    Enter the minimum RSA key length, in bits.

    Range: 512 through 65535

    Default: 512
    TLS Protocol

    Select the TLS protocol:

    • Minimum Version—Select the minimum version of TLS protocol that is supported. The minimum version must be the same as or earlier than the maximum version.
      • TLS 1.1
      • TLS 1.2
      • TLS 1.3
    • Maximum Version—Select the maximum version of TLS protocol that is supported. The maximum version must be the same as or later than the minimum version. The options displayed depend on the version you select in the Minimum Version field. For example, if the minimum version is TLS 1.1, the options TLS 1.1, TLS 1.2, and TLS 1.3 are displayed. If the minimum version is TLS 1.2, the options TLS 1.2 and TLS 1.3 are displayed.
    Key Exchange Algorithms

    When you select minimum and maximum TLS versions and the version is not TLS 1.3, select one or more key exchange algorithms for the SSL connection:

    • ECDHE—Elliptic-curve Diffie–Hellman Key Exchange
    • RSA—Rivest–Shamir–Adleman algorithm
    Encryption Algorithms

    Select an encryption algorithm to use:

    • AES-128-CBC—AES CBC encryption algorithm with 128-bit key
    • AES-128-GCM—AES GCM encryption algorithm with 128-bit key
    • AES-256-CBC—AES CBC encryption algorithm with 256-bit key
    • AES-256-GCM—AES GCM encryption algorithm with 256-bit key
    • Camellia-256-CBC—Camellia encryption algorithm with 256-bit key
    • Chacha20-Poly1305—ChaCha stream cipher and Poly1305 authenticator
    • Seed CBC—TLS RSA with seed CBC
    Authentication Algorithms

    Click to have the selected LEF profile be the default LEF profile:

    • SHA—Secure Hash Algorithm
    • SHA-256—Secure Hash Algorithm 2 with 256-bit digest
    • SHA-384—Secure Hash Algorithm 2 with 384-bit digest
    Cipher Suites

    Select a TLS cipher suite. If you select a cipher suite, it must be consistent with the selected key exchange, encryption, and authentication algorithms. If you do not configure cipher suites, all cipher suites matching the selected the key exchange, encryption, and authentication algorithms are selected by default.

    • TLS-AES-128-GCM-SHA256
    • TLS-AES-256-GCM-SHA384
    • TLS-CHACHA20-POLY1305-SHA256
    • TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
    • TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
    • TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
    • TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
    • TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
    • TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
    • TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
    • TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
    • TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
    • TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
    • TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
    • TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
    • TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
    • TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
    • TLS-RSA-WITH-AES-128-CBC-SHA
    • TLS-RSA-WITH-AES-128-CBC-SHA256
    • TLS-RSA-WITH-AES-128-GCM-SHA256
    • TLS-RSA-WITH-AES-256-CBC-SHA
    • TLS-RSA-WITH-AES-256-CBC-SHA256
    • TLS-RSA-WITH-AES-256-GCM-SHA384
    • TLS-RSA-WITH-CAMELLIA-256-CBC-SHA
    • TLS-RSA-WITH-SEED-CBC-SHA
    Logging (Group of Fields)  
    • None
    		 Click to perform no logging.
    • Default
    		 Click to use default logging.
    • Custom

    Click to configure logging to a customer log server. Based on the rule match, the device may send many log messages.

     

    portal_security_logging.png
    • Please Select
    		 If you select Custom, click the down arrow to select a log profile. To create a new custom flow logs profile, click icon-log-server.png. For more information, see Add Custom Logs Profile.
  6. Click Add.

Configure TLS Decryption Rule

In a TLS ecryption rule, you define the traffic of interest, and for matching traffic you define whether to decrypt the traffic, inspect the traffic, or both decrypt and inspect it. Create a TLS decryption rule without source and destination zones, or only configure the destination zone.

To configure TLS decryption rule:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the device in the honeycomb and click Configure to open the site information window.
  3. Click the Security tab, and then click Decryption.

    security-decryption.png
     
  4. Click the rule-icon.png icon in the TLS Decryption section to create a rule for decryption.

    security-decryption-rule.png


    Each rule displays a numbered circle indicating its position in the rule set. Circle color indicates whether a rule decrypt (red) or decrypt bypass (green) traffic. By default, the rules are displayed in grid view. To change the view to list, click the list view icon. To pin the view to grid or list for the login session, use the pin icon.
  5. If needed, click Reorder Rules to enter rule reorder mode.
    1. To change a rule order, click the colored circle and drag the rule to a different spot in the rule set. The rule numbers are updated automatically.
    2. Click Publish Reordered Rules to save the changes to the Titan cloud.
  6. In the Decryption Add window, enter information for the following fields.

    security-decryption-rule-add.png
     
    Field Description
    Rule Name (Required)

    Enter a name for the decryption rule. Slide the toggle to enable or disable rules.
    Description Enter a text description for the rule. It can be a maximum of 63 characters.
    Match Criteria

    Click Protocol, Address, Hostname, URL, or User and Group to add details for that criteria type. For more information, see Apply Match Criteria for TLS Decryption Rules, below.
    Scope (Group of Fields) Select the traffic source and destination.
    • Source

    Click the down arrow in the Please Select list. Select the source network security zone to which to apply the decryption policy rule to traffic coming from any interface in the zone, and then click Continue.
     

    security-policy-firewall-rules-source-zone.png

    • SD-WAN—Select for the traffic coming to the gateway over overlay tunnels from remote SD-WAN branches.
    • Untrust (Internet)—Select for internet-facing WAN interfaces.
    • Wired LAN—Select for LAN interfaces that are controlled by enterprises.
    • Wireless LAN—Select for LAN interfaces that are on wireless networks.
    Arrow Choose a Portal_one_way_arrow.png one-way or Portal_two_way_arrow.png two-way connection.
    • Destination

    Click the down arrow in the Please Select list. Select the destination network security zone to which to apply the decryption policy rule to traffic coming from any interface into the zone, and then click Continue.
     

    security-policy-firewall-rules-destination-zone.png

    • SD-WAN—Select for the traffic coming to the gateway over overlay tunnels from remote SD-WAN branches.
    • Untrust (Internet)—Select for internet facing WAN interfaces.
    • Wired LAN—Select for LAN interfaces that are controlled by enterprises.
    • Wireless LAN—Select for LAN interfaces that are on wireless networks.
    Action

    Select the action to take on the traffic:

    • Decrypt—Click to enable decryption.
    • Decrypt Bypass—Click to bypass the decryption of SSL traffic that matches the predefined actions.
    Select Profile If the action selected is decrypt, select the decryption profile.
  7. Click Add.

Apply Match Criteria for TLS Decryption Rules

You can use the following match criteria types in a TLS decryption rule:

  • Protocol
  • Address
  • Hostname
  • URL
  • User and Group

security-decryption-rule-add-match-criteria.png

To specify match criteria for a TLS decryption rule:

  1. To specify protocol criteria for a TLS decryption rule:
    1. Select the Protocol tab to display the protocol window.

      security-decryption-rule-add-match-criteria-protocol.png
       
    2. In the Please Select field, select a protocol. Titan Portal automatically populates the next field with common port numbers.
    3. If needed, click the port number field and edit the port number range.
       
  2. To specify address criteria for a TLS decryption rule:
    1. Select the Address tab to display the address window.

      security-decryption-rule-add-match-criteria-address.png
    2. Click the toggle switch to enter the source or destination IP address. Then click Source.

      security-decryption-rule-add-match-criteria-address1.png
       
    3. Enter a source IP address in CIDR format, and then click the icon. To remove an IP address from the list, click the icon.

      portal_security_add_firewall_rules_match_criteria_address_source.png
    4. Click Continue
    5. Enter a destination IP address in CIDR format, and then click the icon-plus.png icon. To remove an IP address from the list, click the icon-minus.png icon.

      portal_security_add_firewall_rules_match_criteria_address_destination.png
    6. Click Continue
       
  3. To specify hostname criteria for a TLS decryption rule:
    1. Select the Hostname tab to display the Hostname window.

      security-decryption-rule-add-match-criteria-hostname.png
    2. Click the toggle switch to enter the source or destination hostname. Then click Source.

      security-decryption-rule-add-match-criteria-hostname1.png
       
    3. Enter a source hostname, and then click the icon-plus.png icon. To remove a hostname from the list, click the icon-minus.png icon.

      portal_security_add_firewall_rules_match_criteria_hostname_source.png
       
    4. Click Continue
    5. Enter a destination hostname, and then click the icon-plus.png icon. To remove a hostname from the list, click the icon-minus.png icon.

      portal_security_add_firewall_rules_match_criteria_hostname_destination.png
    6. Click Continue.
  4. To specify URL criteria for a TLS decryption rule:
    1. Select the URL tab to display the URL window.

      security-decryption-rule-add-match-criteria-url.png
    2. Enter the URL pattern, for example, https://google.*. You can save the URL patterns in .txt file format and add multiple .txt files separated by a comma. Click Browse File to add te file.
    3. In the URL Category section, select the URL categories to decrypt. Titan devices support a wide range of predefined URL categories that you can apply in different types of security policies. You can look up URL categories in the database of predefined URL database to determine the URL category. The predefined URL database is updated daily or in real time as part of security package (SPack) updates.

      configure-tls-decryption-add-rule-match-criteria-url-category.png
    4. Click Add.
    5. In the URL Reputation section, select the URL reputation to decrypt and click Continue.

      portal_security_add_firewall_rules_match_criteria_url_reputation.png

      Use the Customize option to modify the URL reputation.
  5. By default, security enforcement is applied to all users and user groups. To change these settings, select the User and Group tab and do the following.

    security-decryption-rule-add-match-criteria-user-group.png
    1. Select a user to bind with the security policy: Any, Known, Unknown, or Selected.
    2. To select specific user and group, click Selected and then do the following:
      1. Select an LDAP user group profile from the Select LDAP list.
      2. Use the search box to search for the user and group, or click the check box next to the user and group name.

        select-user-group-profile.png
    3. Click Add.

Configure Authentication Rules

On Titan Portal, you can configure authentication rules to authenticate end users, including using a Lightweight Directory Access Protocol (LDAP) server, Kerberos, and Security Assertion Markup Language (SAML). This section describes how to configure authentication rules and associate LDAP, Kerberos, and SAML authentication profiles to use for end user authentication. To do this, you create an authentication rule in which you select the authenticator profile you created for the enforcement action.

If you create an authentication rule without creating an LDAP, Kerberos, or SAML authenticator profile, you must define an authenticator profile to use in the authentication rule.

If you use Kerberos authentication and you need access to users and user groups, you must add an LDAP authentication profile from the Org Settings menu on Titan Portal before you add a Kerberos authentication profile. To configure an authentication rule for a Kerberos profile authenticator, it is recommended that you have an LDAP authentication profile for the system to fetch users and user groups. When you create an authentication rule with a Kerberos profile, the system also pushes an LDAP profile to the CPE. If an LDAP profile does not exist, the system prompts you to create one when you select a Kerberos profile authenticator.

To configure an authentication rule:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the device in the honeycomb and click Configure to open the site information window.
  3. Click the Security tab, and then click Authentication.

    authentication-home.png
     
  4. Click the rule-icon.png icon in the Authentication section to create a rule for authentication.

    authentication-rule.png

    Each rule displays a numbered circle indicating its position in the rule set. Circle color indicates whether a rule do not authenticate (red) or authenticate using a profile (green). By default, the rules are displayed in grid view. To change the view to list, click the list view icon. To pin the view to grid or list for the login session, use the pin icon.
  5. If needed, click Reorder Rules to enter rule reorder mode.
    1. To change a rule order, click the colored circle and drag the rule to a different spot in the rule set. The rule numbers are updated automatically.
    2. Click Publish Reordered Rules to save the changes to the Titan cloud.
  6. In the Authentication Add window, enter information for the following fields.

    authentication-rule-add.png
     
    Field Description
    Rule Name (Required)

    Enter a name for the decryption rule. Slide the toggle to enable or disable rules.
    Description Enter a description for the rule. The maximum characters allowed is 63.
    Match Criteria

    Click Protocol, Address, Hostname, Application, or URL to add details for that criteria type. For more information, see Apply Match Criteria for Authentication Rules, below.
    Scope (Group of Fields) Select the traffic source and destination.
    • Source

    Click the down arrow in the Please Select list. Select the source network security zone to which to apply the decryption policy rule to traffic coming from any interface in the zone, and then click Continue.
     

    security-policy-firewall-rules-source-zone.png

    • SD-WAN—Select for the traffic coming to the gateway over overlay tunnels from remote SD-WAN branches.
    • Untrust (Internet)—Select for internet-facing WAN interfaces.
    • Wired LAN—Select for LAN interfaces that are controlled by enterprises.
    • Wireless LAN—Select for LAN interfaces on wireless networks.
    Arrow Choose a Portal_one_way_arrow.png one-way or Portal_two_way_arrow.png two-way connection.
    • Destination

    Click the down arrow in the Please Select list. Select the destination network security zone to which to apply the decryption policy rule to traffic coming from any interface into the zone, and then click Continue.
     

    security-policy-firewall-rules-destination-zone.png

    • SD-WAN—Select for the traffic coming to the gateway over overlay tunnels from remote SD-WAN branches.
    • Untrust (Internet)—Select for internet facing WAN interfaces.
    • Wired LAN—Select for LAN interfaces that are controlled by enterprises.
    • Wireless LAN—Select for LAN interfaces on wireless networks.
    Action

    Select the action to take on the profile:

    • Do Not Authenticate—Click to not authenticate the profile.
    • Authenticate Using Profile—Click to authenticate using an authentication profile. Enter information for the following fields.

      authentication-rule-add-auth-using-profile.png
      • Cache Expiration—Enter the time, in minutes, after which cache for the authentication profile expires.
        Default: 10 minutes
      • Concurrent Login—Enter the number of concurrent logins a user can perform from different devices.
      • Expiration Mode—Select the mode to use to end a session:
        • Fixed Interval—Use the time specified in the cache expiration as the time interval to end a session.
        • Inactivity—Use the time specified in the cache expiration as the interval of inactivity after which to end a session.
      • Authenticator
        • Kerberos Profile—If you select Kerberos authentication, in the Select Authentication Profile list, select a Kerberos profile to associate with the authentication profile. Click + Authenticator Profile to add a new Kerberos profile. For more information, see Configure Kerberos Profiles.
        • LDAP Profile—If you select LDAP authentication, in the Select Authentication Profile list, select an LDAP profile to associate with this authentication profile. Click + Authenticator Profile to add a new LDAP profile. For more information, see Configure LDAP Profiles.
        • SAML Profile—If you select SAML authentication, in the Select Authentication Profile list, select a SAML profile to associate with this authentication profile. Click + Authenticator Profile to add a new SAML profile. For more information, see Configure SAML Profiles.
    Logging

    Configure log settings:

    • None—Click to perform no logging.
    • Default—Click to use default logging.
    • Custom—Click to configure logging to a customer log server. Based on the rule match, the device may sent a large number of log messages.

      logging.png
      • Please Select—If you select Custom, click the down arrow to select a log profile.

    To create a new custom flow logs profile, click icon-log-server.png. For more information, see Add Custom Logs Profile.
  7. Click Add.

Apply Match Criteria for Authentication Rules

You can use the following match criteria types in an authentication rule:

  • Address
  • Application
  • Hostname
  • Protocol
  • URL

authentication-rule-add-match-criteria.png

To specify match criteria for an authentication rule:

  1. To specify protocol criteria for an authentication rule:
    1. Select the Protocol tab to display the protocol window.

      authentication-rule-add-match-criteria-protocol.png
    2. In the Please Select field, select a protocol. Titan Portal automatically populates the next field with common port numbers.
    3. If needed, click the port number field and edit the port number range.
  2. To specify address criteria for an authentication rule:
    1. Select the Address tab to display the address window.

      authentication-rule-add-match-criteria-address.png
    2. Click the toggle switch to enter the source or destination IP address. Then click Source.

      authentication-rule-add-match-criteria-address1.png
    3. Enter a source IP address in CIDR format, and then click the icon-plus.png icon. To remove an IP address from the list, click the icon-minus.png icon.

      portal_security_add_firewall_rules_match_criteria_address_source.png
    4. Click Continue
    5. Enter a destination IP address in CIDR format, and then click the icon-plus.png icon. To remove an IP address from the list, click the icon-minus.png icon.

      portal_security_add_firewall_rules_match_criteria_address_destination.png
    6. Click Continue
  3. To specify hostname criteria for an authentication rule:
    1. Select the Hostname tab to display the Hostname window.

      authentication-rule-add-match-criteria-hostname.png
    2. Click the toggle switch to enter the source or destination hostname. Then click Source.

      authentication-rule-add-match-criteria-hostname1.png
    3. Enter a source hostname, and then click the icon-plus.png icon. To remove a hostname from the list, click the icon-minus.png icon.

      portal_security_add_firewall_rules_match_criteria_hostname_source.png
    4. Click Continue
    5. Enter a destination hostname, and then click the icon-plus.png icon. To remove a hostname from the list, click the icon-minus.png icon.

      portal_security_add_firewall_rules_match_criteria_hostname_destination.png
    6. Click Continue.
  4. To specify application and application groups criteria for an authentication rule:
    1. Select the Application tab, and then click Click Here To Add or Modify Applications.

      authentication-rule-add-match-criteria-application.png
    2. The Authentication > Rules > Add Application popup window displays. Select the Applications tab is selected by default. Then, select the application to include in the match list, or type the name of the application in the search box and then select it from the search results, and then click Add.

      match-criteria-authentication-add-application-tab.png
      • Click + Custom Applications to create a new custom application object. For more information, see Add Custom Applications.
    3. Select the Application Groups tab. Then select predefined application groups to include in the match list, or type the name of the application group in the search box and then select it from the search results, and then click Add.

      match-criteria-authentication-add-application-group-tab.png
  5. To specify URL criteria for an authentication rule:
    1. Select the URL tab to display the URL window.

      authentication-rule-add-match-criteria-url.png
    2. Enter the URL pattern, for example, https://google.*. You can save the URL patterns in .txt file format and add multiple .txt files separated by a comma. Click Browse File to add te file.
    3. In the URL Category section, select the URL categories to decrypt. Titan devices support a wide range of predefined URL categories that you can apply in different types of security policies. You can look up URL categories in the database of predefined URL database to determine the URL category. The predefined URL database is updated daily or in real time as part of security package (SPack) updates.

      authentication-rule-add-match-criteria-url1.png
    4. Click Add.
    5. In the URL Reputation section, select the URL reputation to decrypt and click Continue.

      portal_security_add_firewall_rules_match_criteria_url_reputation.png
      Use the Customize option to modify the URL reputation.
  6. Click Add.

Example: Configure a SAML Authentication Rule

Before you create a SAML authentication rule, you must configure a SAML profile, which contains information about the third-party SAML IdPs and other protocol information. Then, you associate the SAML profile with the SAML authentication rule.

To create a SAML authentication rule, you perform the following tasks:

  1. Create three authentication rules in the following order:
    1. Create an authentication rule to allow DNS packets.
    2. Create an authentication rule to allow IdP packets.
    3. Create a SAML authentication rule.
  2. Create a firewall rule without source and destination zones and destination port must be 44991 and 8080.
  3. Create a TLS decryption rule without source and destination zones.

To create a SAML authentication rule:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the device in the honeycomb and click Configure to open the site information window.
  3. Click the Security tab, and then click Authentication.

    authentication-home.png
     
  4. Click the rule-icon.png icon in the Authentication section to create a rule for authentication.

    authentication-rule.png

    Each rule displays a numbered circle indicating its position in the rule set. Circle color indicates whether a rule do not authenticate (red) or authenticate using a profile (green). By default, the rules are displayed in grid view. To change the view to list, click the list view icon. To pin the view to grid or list for the login session, use the pin icon.
  5. If needed, click Reorder Rules to enter rule reorder mode.
    1. To change a rule order, click the colored circle and drag the rule to a different spot in the rule set. The rule numbers are updated automatically.
    2. Click Publish Reordered Rules to save the changes to the Titan cloud.
  6. In the Authentication Add window, create an authentication rule to allow DNS packets by entering the following information.

    saml-authentication-rule-add.png
     
    1. Enter a firewall rule name.
    2. Enter the description for the rule.
    3. In the Protocol tab, select UDP, and enter 53 as the port number.
    4. In the Action section, click Do Not Authenticate.
  7. Click Add.
  8. Click the rule-icon.png icon in the Authentication section to create a rule for authentication.
  9. In the Authentication Add window, create an authentication rule to allow IdP packets by entering the following information.

    saml-authentication-rule-add-idp.png
    1. Enter an OKTA IdP rule name.
    2. Enter the description for the rule.
    3. Click URL tab, enter a URL pattern, an then click the add-icon.png Add icon.
    4. In the Action section, click Do Not Authenticate.
  10. Click Add. The OKTA IdP rule is added to the rules list.
  11. Click the rule-icon.png icon in the Authentication section to create a rule for SAML authentication.
  12. In the Authentication Add window, create a SAML rule by entering the following information.

    saml-authentication-rule-saml.png
     
    1. Enter a SAML authentication rule name.
    2. Enter a rule description.
    3. Select source and destination zones.
    4. In the Actions section, click Authenticate Using Profile to authenticate using an authentication profile. Enter information for the following fields.
      • Cache Expiration—Enter the time, in minutes, after which cache for the authentication profile expires.
        Default: 10 minutes
      • Concurrent Login—Enter the number of concurrent logins a user can perform from different devices.
      • Expiration Mode—Select the mode to use to end a session:
        • Fixed Interval—Use the time specified in the cache expiration as the time interval to end a session.
        • Inactivity—Use the time specified in the cache expiration as the interval of inactivity after which to end a session.
      • In the Authenticator section, click SAML Profile, and in the Select Authentication Profile list, select a SAML profile to associate with this authentication profile. Click + Authenticator Profile to add a new SAML profile. For more information, see Configure SAML Profiles.
  13. Click Add.

    authentication-rules-added.png
     
  14. In the Security tab, click Security Policy.
  15. In the Firewall Policies section, click Firewall Rules and then click +Rule to create a firewall rule. Enter the following information.

    saml-authentication-firewall-rule-add.png
    1. Enter a firewall rule name.
    2. Enter a rule description.
    3. In the Protocol tab, select TCP, and enter 44991 and 8080 as the port numbers.
  16. Click Add.
  17. In the Security tab, click Decryption.
  18. In the TLS Decryption section, click +Rule to create a decryption rule. Enter the following information.

    saml-authentication-tls-rule-add.png
     
    1. Enter a decryption rule name.
    2. Enter a rule description.
    3. In the Protocol tab, select TCP, and enter 443 as the port number.
    4. Select a decryption profile.
  19. Click Add.

Supported Software Information

Releases 10.3.4 and later support all content described in this article.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
    Product
    Titan
  2. Tags
    This page has no tags.