Chapter 46 SSL Inspection
ZyWALL Series CLI Reference Guide
424
46.2.4 SSL Inspection Profile Settings
This table lists the SSL Inspection profile setting commands.
Table 232 SSL Inspection Profile Commands
COMMAND DESCRIPTION
ssl-inspection profile
ssi_profile_name
Creates an SSL Inspection profile, and then enters the SSL Inspection
profile sub-command mode.
The profile name may consist of 1-31 alphanumeric characters,
underscores(
_), or dashes (-), but the first character cannot be a
number. This value is case-sensitive.
bind-ipv4-addr ipv4
Request a certificate using the specified IPv4 source address. This
command is for debugging purposes.
bind-ipv6-addr ipv6
Request a certificate using the specified IPv6 source address. This
command is for debugging purposes.
[no] certificate cert_name
Enter the default certificate or one already created for this profile.
The no command removes the certificate from this profile.
[no] description
description
Enter additional information about this SSL Inspection entry. You can
enter up to 60 characters ("0-9", "a-z", "A-Z", "-" and "_").
The no command removes the description.
exit
Exit sub-command mode.
follow-real-client-routing
{yes | no}
When an SSL session is detected by SSL inspection, the Zyxel Device
creates another independent session in order to get information such
as the certificate chain. However, because traffic for this new session
is sent from the Zyxel Device, it may not match the same routing
policy of the original SSL session and may not reach the destination
server.
Enable this command to allow the session sent from the Zyxel Device
to follow the routing policy of the original session. The no command
does not allow the session sent from the Zyxel Device to follow the
routing policy of the original session.
sslv2 action {pass | block}
{no log | log [alert]}
SSL Inspection supports SSLv3 and TLS1.0. This command sets the
action and log event for when the Zyxel Device encounters SSLv2
traffic.
• Pass: SSLv2 traffic is allowed to pass through the Zyxel Device
uninspected.
• Block: SSLv2 traffic is blocked.
You can also set the logging events.
• no log: Do not log SSLv2 traffic events.
• log: Create a log message when SSLv2 traffic is passed through or
blocked.
• log: Create a log message and issue an alert email when SSLv2
traffic is passed through or blocked.
support-version-max {ssl3 |
tls1_0 | tls1_1 | tls1_2 |
tls1_3}
The Zyxel Device only inspects SSL traffic if the SSL version is equal to
this value or lower.
support-version-min {ssl3 |
tls1_0 | tls1_1 | tls1_2 |
tls1_3}
The Zyxel Device only inspects SSL traffic if the SSL version is equal to
this value or higher.
unsupported-suite action
{pass | block} {no log |
log [alert]}
Select to pass or block unsupported traffic, such as traffic using
unsupported cipher suites, compression, or client authentication.
To Next Page
Loading...
