R80.20 SSL Mirror and Decrypt

When you configure the Mirror and Decrypt rules, these limitations apply:

• In the Mirror and Decrypt rules, you must not select Content criteria, such as Application, URL Filtering, Service matched by IP Protocol, Content Awareness.
• Above the Mirror and Decrypt rules, you must not configure other rules that contain Content criteria, such as Application, URL Filtering, Service matched by IP Protocol, Content Awareness.
• You must configure rules that contain an excluded source or an excluded destination above the Mirror and Decrypt rules.
  The Name column of these rules cannot contain these strings: <M&D>, <M&d>, <m&D>, or <m&d>.

The procedure below describes how to configure the Mirror and Decrypt rules in a separate Access Control Layer:

Step	Description
1	In SmartConsole, from the left Navigation Panel, click Security Policies.
2	Create a new Access Control Layer in the Access Control Policy.
2B	In SmartConsole top left corner, click Menu > Manage policies and layers.
2C	Select the existing policy and click Edit (the pencil icon). Alternatively, create a new policy.
2D	From the navigation tree of the Policy window, click General.
2E	In the Policy Types section, make sure you select only the Access Control.
2F	In Access Control section, click on the + (plus) icon. A pop up window opens.
2G	In the top right corner of this pop up window, click New Layer. Layer Editor window opens.
2H	From the navigation tree of the Layer Editor window, click General.
2I	In the Blades section, make sure you select only the Firewall.
2J	On other pages of the Layer Editor window, configure additional applicable settings and click OK.
2K	In the Access Control section, you see the Network Layer and the new Access Control Layer.
2L	Click OK to save the changes and close the Policy window.
3	In SmartConsole, at the top, click the tab of the applicable policy.
4	In the Access Control section, click the new Access Control Layer. In the default rule, you must change the Action column from Drop to Accept to not affect the policy enforcement: Name - Cleanup rule You can change the default name to a desired text except these strings: <M&D>, <M&d>, <m&D>, or <m&d> Source - *Any Destination - *Any VPN - *Any Services & Applications - *Any Action - Must contain Accept Track - None Install On - *Policy Targets
5	Above the existing Cleanup rule, add the applicable rules for the traffic you wish to Mirror and Decrypt. You must configure the Mirror and Decrypt rules as follows: Name - Must contain one of these strings (angle brackets <> are mandatory): <M&D>, <M&d>, <m&D>, or <m&d> Source - Select the applicable objects Destination - Select the applicable objects VPN - Must leave the default *Any Services & Applications - Select the applicable services (to decrypt the HTTPS traffic, select the applicable HTTP, HTTPS, or Proxy services) Action - Must contain Accept Track - Select the applicable option (None, Log, or Alert) Install On - Must contain one of these objects: *Policy Targets (this is the default) The Security Gateway, or Cluster object, whose version is R80.20 Important: In the Mirror and Decrypt rules, you must not select Content criteria, such as Application, URL Filtering, Service matched by IP Protocol, Content Awareness. Above the Mirror and Decrypt rules in this Ordered Layer, you must not configure other rules that contain Content criteria, such as Application, URL Filtering, Service matched by IP Protocol, Content Awareness. You must configure rules that contain an excluded source or an excluded destination above the Mirror and Decrypt rules. The Name column of these rules cannot contain these strings: <M&D>, <M&d>, <m&D>, or <m&d>.
6	Publish the session and install the Access Control Policy.
7	If in a Mirror and Decrypt rule you set the Track to Log, then you can filter the logs for this rule by the Access Rule Name, which contains the configured string: <M&D>, <M&d>, <m&D>, or <m&d>.