Breaking SSL encryption is intended to be difficult; if it weren't, nobody would trust the security of the web. NGFW can decrypt SSL-encrypted packets to meet legal requirements and/or provide more certainty in filtering traffic, but we can not guarantee it will be 100% effective. There are more and more cases every day of new technologies that prevent decrypting traffic or alert you that decryption may have been performed.
You must install the included root certificate in every browser in use on the network for SSL inspector to work. The steps below will guide you through the process from start to finish while also trying to point out any obstacles you may encounter along the way.
- If applicable, make sure you're in the correct Policy Manager policy in the top left-hand corner of the Apps page:
- Click Install Apps at the top left-hand corner:
- Next, click on SSL Inspector to install it:
- Click on the SSL Inspector icon to open its settings & Status pane. If the Server Certificate Verification pane shows any 'missing' information, follow this article to fix that first. If it shows 'No problems detected', move on to step #5.
- On the Configuration tab, you can download the Root Certificate Authority which must be installed on any devices that will be subject to SSL inspection. If those devices are Windows computers, you can use the 'installer' option; if they are any other operating system, you'll want to use the 'download root certificate' option instead:
For guidance on installing the certificate on non-Windows devices, please review our Deploying/Installing Root Certificates article
- HTTPS Traffic Processing is enabled by default in Configuration:
- Under the Rules tab, there are a few default rules created which you can use to inspect traffic or use as templates to create your own rules. Check "Inspect all traffic" to process all other HTTPS sites, but be warned that SSL inspection can be highly resource-intensive and enabling this option can cause significant performance issues. It's better to create specific rules to inspect traffic that you know you need to inspect.
- Click the power button under Status tab to turn on SSL Inspector.