USG FLEX H Series User’s Guide
319
CHAPTER 22
SSL Inspection
22.1 Overview
Secure Socket Layer (SSL) traffic, such as https://www.google.com/HTTPS, FTPs, POP3s, SMTPs, etc. is
encrypted, and cannot be inspected using Security Service profiles such as App Patrol, Web Filtering,
Intrusion Prevention System (IPS), or Anti-Malware. The Zyxel Device uses SSL Inspection to decrypt SSL
traffic, sends it to the Security Service engines for inspection, then encrypts traffic that passes inspection
and forwards it to the destination server, such as Google.
An example process is shown in the following figure. User U sends a HTTPS request (SSL) to destination
server D, via the Zyxel Device, Z. The traffic matches an SSL Inspection profile in a security policy, so the
Zyxel Device decrypts the traffic using SSL Inspection. The decrypted traffic is then inspected by the
Security Service profiles in the same security profile that matched the SSL Inspection profile. If all is OK,
then the Zyxel Device re-encrypts the traffic using SSL Inspection and forwards it to the destination server
D. SSL traffic could be in the opposite direction for other examples.
Figure 198 SSL Inspection Overview
22.1.1 What You Can Do in this Chapter
• Use the Security Service > SSL Inspection > Profile screen (Section 22.2 on page 320) to view SSL
Inspection profiles. Click the Add or Edit icon in this screen to configure the CA certificate, action and
log in an SSL Inspection profile.
• Use the Security Service > SSL Inspection > Exclude List screens (Section 22.3 on page 325) to create a
whitelist of destination servers to which traffic is passed through uninspected.
• Use the Security Service > SSL Inspection > Certificate Update screens (Section 22.4 on page 327) to
update the latest certificates of servers using SSL connections to the Zyxel Device network
To Next Page
Loading...
