We understand that while this is often a 'necessary evil', we also want to ensure that our users are able to provide the protection they require without any hardship that may be unwarranted.
When speaking about filtering HTTPS traffic, it is critical to point out that this is difficult to do regardless of the method used. HTTPS is secured traffic so, inherently, it should be difficult to filter. With that said, there are many use cases that require it such as schools for CIPA compliance or businesses with the need to curtail the usage of non-productive applications and services.
NOTE: If you've already determined that you need to utilize SSL Inspector to filter your traffic, click here for the instructions for doing so.
Identifying Your Use Case
The NGFW provides a method to fully decrypt SSL/HTTPS traffic for filtering, however the configuration and deployment is not easy compared to our other applications. Before we get into the how, we should first discuss the why:
Why do you want to inspect HTTPS traffic?
- Are you looking to be able to better filter browser-based traffic as well as other applications?
- Do you have compliance standards or other regulations that require the filtering of all web-based traffic?
- Do you need to enforce 'safe search' options in search engines?
- Do you need to be able to control bandwidth usage on your network?
- Do you want better visibility into your users' activity online?
If you answered 'yes' to any of the above questions, read on.
Exploring Filtering Methods
Depending on the use case, there are two ways to filter HTTPS traffic in NGFW:
SNI information via Web Filter
In Web Filter there are three nested options under the Advanced tab for SNI information processing. These settings allow Web Filter to leverage information contained in the packet headers of a web request so it can determine some basic information about the site.
This requires no additional configuration of the user's browser, but it is very restricted in capability. Web Filter can see hostname (base URL) and nothing more using this method. This means you can filter youtube.com, but not youtube.com/channel/*.
This option will allow you to filter access to web sites and provide additional data insights in your reports, but it only applies to traffic originating in a web browser (more specifically, ports 80 and 443). If your needs require more than this level of function & detail, then you need SSL Inspector.
Full Decryption via SSL Inspector
Breaking SSL encryption is intended to be difficult; if it weren't, nobody would trust the security of the web. NGFW can decrypt SSL-encrypted packets to meet legal requirements and/or provide more certainty in filtering traffic, but we can not guarantee it will be 100% effective. There are more and more cases every day of new technologies that prevent decrypting traffic or alert you that decryption may have been performed.
You must install the included root certificate in every browser in use on the network for SSL inspector to work.
Step by step instructions for setting up SSL Inspector can be found here.