Creating an SSL rule

To create an SSL rule:

1. In the application web interface, select the Settings → Built-in proxy server → SSL Rules section.
2. Click Add rule.

   The Add rule window opens.

3. In the Action drop-down list, select the action that the application will take on the SSL connection:
   • Tunnel.

     The application will not intercept CONNECT requests that satisfy the defined conditions. These requests will not be taken into account in the statistics on processed traffic in the Dashboard section.

     It may also fail to apply protection rules and the following filtering criteria in access rules: MIME type of HTTP message, MIME type of HTTP message part, File size, HTTP Method.

   • Tunnel with SNI check.

     The application will not intercept CONNECT requests that meet the defined conditions and for which an SNI check was performed. These requests will not be taken into account in the statistics on processed traffic in the Dashboard section.

     Extension of the TLS protocol that transmits the name of the website with which a connection needs to be established. SNI is necessary in cases when multiple services operating over the HTTPS protocol are hosted by the same physical server and use the same IP address but each service has its own security certificate.

     It may also fail to apply protection rules and the following filtering criteria in access rules: MIME type of HTTP message, MIME type of HTTP message part, File size, HTTP Method.

   • Bump.

     The application will intercept CONNECT requests that satisfy the defined conditions, and analyze the contents of encrypted connections.

   • Terminate.

     The application will block CONNECT requests that satisfy the defined conditions.

   For services that do not support intercepts of CONNECT requests, it is recommended to select the Tunnel action. When the Bump and Tunnel with SNI check actions are applied, an SSL connection may be blocked due to an intercept error.

   The Tunnel action is defined by default.

4. In the Source settings group, click Add.
5. In the drop-down list that appears, select the filtering criterion for the connection source:
   • IP address.

     If you selected IP address as the filtering criterion:

     1. In the field on the right of the drop-down list, click the entry area.

        The IP addresses window opens.

     2. Enter one or multiple IP addresses.

        You can specify IP addresses in one of the following formats:

        • IPv4 address (for example, 172.16.5.6).
        • IPv4 subnet with a mask in CIDR notation (for example, 192.168.1.0/24).
        • IPv6 address (for example, 2001:0db8:85a3:0000:0000:8a2e:0370:7334).
        • IPv6 subnet with a mask in CIDR notation (for example, fc00::/7).

        When specifying multiple IP addresses, separate them with a semicolon or with a new line.

     3. Click Add.

        The added IP addresses are displayed in the table under the entry field. If the entered value has an invalid format, the icon will appear on its left side. You can modify this address by using the button in the right part of the line.

     4. Click Save.
   • User agent.

     If you selected User agent as the filtering criterion, enter its name in the field on the right of the drop-down list.

     When specifying multiple values, separate them with a semicolon.

6. In the Destination settings group, click Add.
7. In the drop-down list that appears, select the filtering criterion for the connection destination:
   • IP address.

     If you selected IP address as the filtering criterion:

     1. In the field on the right of the drop-down list, click the entry area.

        The IP addresses window opens.

     2. Enter one or multiple IP addresses.

        You can specify IP addresses in one of the following formats:

        • IPv4 address (for example, 172.16.5.6).
        • IPv4 subnet with a mask in CIDR notation (for example, 192.168.1.0/24).
        • IPv6 address (for example, 2001:0db8:85a3:0000:0000:8a2e:0370:7334).
        • IPv6 subnet with a mask in CIDR notation (for example, fc00::/7).

        When specifying multiple IP addresses, separate them with a semicolon or with a new line.

     3. Click Add.

        The added IP addresses are displayed in the table under the entry field. If the entered value has an invalid format, the icon will appear on its left side. You can modify this address by using the button in the right part of the line.

     4. Click Save.
   • Hostname.

     If you selected Hostname as the filtering criterion:

     1. In the field on the right of the drop-down list, click the entry area.

        The Hostnames window opens.

     2. Enter one or multiple host names.

        When specifying multiple names, separate them with a semicolon or with a new line.

        To enable subdomains, use a dot at the start of the value. In this case, you cannot specify subdomains as individual records because these records could lead to proxy server errors. For example, if you indicated .example.org, you should not add the record abc.example.org.

     3. Click Add.

        The added host names are displayed in the table under the entry field.

     4. If you want the filter to include all subdomains of the specified name, select the Include subdomains check box.

        If you entered a host name with a dot at the start of the value, the Include subdomains check box will be selected automatically.

     5. Click Save.
8. In the Ports field, enter one or multiple destination ports.

   The rule will be applied only to connections that use the defined ports.

9. In the Name box, type the name of the rule.
10. If necessary, provide any additional information about the rule in the Comment field.
11. Enable or disable use of the rule by using the Status toggle switch.
12. Click Add.

The SSL rule will be created and displayed in the table on the SSL Rules tab.

Page top