R80.20 - Enable - Mirror and Decrypt SSL Traffic on Gateway

Your Security Gateway or Cluster clones all HTTPS traffic that passes through it, decrypts it, and sends it in clear-text out of the designated physical interface.

Note - If you wish to decrypt the HTTPS traffic, you must enable and configure the HTTPS Inspection on your Security Gateway, or Cluster.

These are Mirror and Decrypt requirements:

Item	Description
1	Designated network interface for Mirror and Decrypt: Select a designated physical interface on your Security Gateway, or each cluster member. Important: On cluster members, you must select an interface with the same name (for example, eth3 on each cluster member). Select an interface with the largest available throughput (for example, 10G, 40G), because this interface passes the combined traffic from all other interfaces. Assign a dummy IP address to the designated interface. Important - This IP address cannot collide with other IP addresses used in your environment. This IP address cannot belong to subnets used in your environment. Make sure to configure the correct subnet mask. After you enable traffic mirroring on this interface in SmartConsole, all other traffic that is routed to this interface is dropped. On cluster members, you must configure this designated physical interface in the $FWDIR/conf/discntd.if file. Note - This prevents the interfaces that are not used from sending Cluster Control Protocol (CCP) packets that can overwhelm the Mirror and Decrypt recorders.
2	Maximum Transmission Unit (MTU) on the Mirror and Decrypt designated physical interface: MTU value has to be 1500 (default), or at least the maximum MTU value from other interfaces on the Security Gateway.
3	HTTPS Inspection for decrypting the HTTPS traffic: You must enable the HTTPS Inspection in SmartConsole in the object of the Security Gateway, Cluster, or Virtual System. You must configure the HTTPS Inspection Rule Base.
4	Access Rules for traffic you wish to Mirror and Decrypt: You must create special rules in the Access Control Policy for the traffic you wish to mirror and decrypt.

Configuring Mirror and Decrypt in SmartConsole

Workflow for Security Gateway, or Cluster in Gateway mode:

1. Enable the HTTPS Inspection in the object of your Security Gateway, or Cluster (for decrypting the HTTPS traffic).
2. Configure the HTTPS Inspection Rule Base (for decrypting the HTTPS traffic).
3. Activate the Mirror and Decrypt in the object of your Security Gateway, or Cluster.
4. Configure the Mirror and Decrypt rules in the Access Control Policy for the traffic you wish to mirror and decrypt.

To enable the HTTPS Inspection:

Step	Description
1	In SmartConsole, from the left Navigation Panel, click Gateways & Servers.
2	Open the object of the Security Gateway, or Cluster.
3	From the navigation tree, click HTTPS Inspection.
4	View and export the certificate.
5	Check Enable HTTPS Inspection.
6	Click OK.

To configure the HTTPS Inspection Rule Base:

Step	Description
1	In SmartConsole, from the left Navigation Panel, click Security Policies.
2	In the Shared Policies section, click HTTPS Inspection.
3	In the middle of the page, click Open HTTPS Inspection Policy in SmartDashboard. The Legacy SmartDashboard opens.
4	Configure the HTTPS Inspection Rule Base. For details, see Configuring HTTPS Inspection.
5	From the top toolbar, click Update (or press Ctrl+S) to save the changes in the database.
6	Close the SmartDashboard.

To activate the Mirror and Decrypt:

Step	Description
1	In SmartConsole, open the object of the Security Gateway, or Cluster.
2	Configure the topology settings of the designated Mirror and Decrypt interface.
2A	From the navigation tree of the gateway object, click Network Management.
2B	From the top toolbar, click Get Interfaces Without Topology.
2C	Make sure the interface designated for Mirror and Decrypt is listed with the dummy IP address.
2D	Select the interface designated for Mirror and Decrypt and click Edit.
2E	From the navigation tree, click General.
2F	In the General section: In the Network Type field, select Private. Note - This field shows only in Cluster objects.
2G	In the Topology section: Click Modify. Topology Settings window opens.
2H	In the Leads To section: Select Override. Select This Network (Internal). Select Network defined by the interface IP and Net Mask.
2I	In the Security Zone section: Select User defined. Do not check the Specify Security Zone.
2J	In the Anti-Spoofing section: Make sure to clear the Perform Anti-Spoofing based on interface topology.
2K	Click OK to save the changes and close the Topology Settings window.
3	Enable the Mirror and Decrypt.
3A	From the navigation tree of the Security Gateway, or Cluster object, click the [+]near the Other and click Mirror and Decrypt.
3B	Check Mirror gateway traffic to interface. Mirror and Decrypt - User Disclaimer window opens. Read the text carefully. Check I agree to the terms and conditions. Click OK to accept and close the disclaimer.
3C	In the Mirror gateway traffic to interface field, select the designated physical interface.
3D	Click OK to save the changes and close the Security Gateway, or Cluster properties window.

To configure the Mirror and Decrypt rules:

Best Practice:

We recommend you to configure a new separate Access Control Layer to contain Mirror and Decrypt rules. Alternatively, you can configure the Mirror and Decrypt rules in the regular Rule Base.

Important:

When you configure the Mirror and Decrypt rules, these limitations apply:

• In the Mirror and Decrypt rules, you must not select Content criteria, such as Application, URL Filtering, Service matched by IP Protocol, Content Awareness.
• Above the Mirror and Decrypt rules, you must not configure other rules that contain Content criteria, such as Application, URL Filtering, Service matched by IP Protocol, Content Awareness.
• You must configure rules that contain an excluded source or an excluded destination above the Mirror and Decrypt rules.
  The Name column of these rules cannot contain these strings: <M&D>, <M&d>, <m&D>, or <m&d>.

The procedure below describes how to configure the Mirror and Decrypt rules in a separate Access Control Layer:

Step	Description
1	In SmartConsole, from the left Navigation Panel, click Security Policies.
2	Create a new Access Control Layer in the Access Control Policy.
2B	In SmartConsole top left corner, click Menu > Manage policies and layers.
2C	Select the existing policy and click Edit (the pencil icon). Alternatively, create a new policy.
2D	From the navigation tree of the Policy window, click General.
2E	In the Policy Types section, make sure you select only the Access Control.
2F	In Access Control section, click on the + (plus) icon. A pop up window opens.
2G	In the top right corner of this pop up window, click New Layer. Layer Editor window opens.
2H	From the navigation tree of the Layer Editor window, click General.
2I	In the Blades section, make sure you select only the Firewall.
2J	On other pages of the Layer Editor window, configure additional applicable settings and click OK.
2K	In the Access Control section, you see the Network Layer and the new Access Control Layer.
2L	Click OK to save the changes and close the Policy window.
3	In SmartConsole, at the top, click the tab of the applicable policy.
4	In the Access Control section, click the new Access Control Layer. In the default rule, you must change the Action column from Drop to Accept to not affect the policy enforcement: Name - Cleanup rule You can change the default name to a desired text except these strings: <M&D>, <M&d>, <m&D>, or <m&d> Source - *Any Destination - *Any VPN - *Any Services & Applications - *Any Action - Must contain Accept Track - None Install On - *Policy Targets
5	Above the existing Cleanup rule, add the applicable rules for the traffic you wish to Mirror and Decrypt. You must configure the Mirror and Decrypt rules as follows: Name - Must contain one of these strings (angle brackets <> are mandatory): <M&D>, <M&d>, <m&D>, or <m&d> Source - Select the applicable objects Destination - Select the applicable objects VPN - Must leave the default *Any Services & Applications - Select the applicable services (to decrypt the HTTPS traffic, select the applicable HTTP, HTTPS, or Proxy services) Action - Must contain Accept Track - Select the applicable option (None, Log, or Alert) Install On - Must contain one of these objects: *Policy Targets (this is the default) The Security Gateway, or Cluster object, whose version is R80.20 Important: In the Mirror and Decrypt rules, you must not select Content criteria, such as Application, URL Filtering, Service matched by IP Protocol, Content Awareness. Above the Mirror and Decrypt rules in this Ordered Layer, you must notconfigure other rules that contain Content criteria, such as Application, URL Filtering, Service matched by IP Protocol, Content Awareness. You must configure rules that contain an excluded source or an excluded destination above the Mirror and Decrypt rules. The Name column of these rules cannot contain these strings: <M&D>, <M&d>, <m&D>, or <m&d>.
6	Publish the session and install the Access Control Policy.
7	If in a Mirror and Decrypt rule you set the Track to Log, then you can filter the logs for this rule by the Access Rule Name, which contains the configured string: <M&D>, <M&d>, <m&D>, or <m&d>.