tls general minimum-version (SSL3_0|TLS1_0|TLS1_1|TLS1_2|TLS1_3)Set minimum TLS/SSL version. Possible version values:
[no] tls general certificate-validationEnable (or disable, if no) SSL exclusions by KL category.
[no] tls general log-on-certificate-errorEnable (or disable, if no) logging of server certificate verification errors.
tls general action-on-certificate-error (allow|block)Set action in case of server certificate verification error:
tls general verification-timeout <number>Set timeout (in milliseconds) for the certificate chain verification procedure. By default, 2000.
show tls general verification-timeoutShow the configured certificate chain verification timeout (in milliseconds).
Example output:
{
"ngfw-tls-cert:tls": {
"general": {
"verification-timeout": 2000 } }
}
tls exclusions categories-ssl-exceptions (enabled|disabled)Enable or disable SSL exclusions.
tls exclusions categories-ssl-exceptions-log (enabled|disabled)Enable or disable logging of occurrences of exclusions by category.
tls exclusions uncategorized-ssl-exceptions (decrypt|no-decrypt)Allow or prohibit SSL exclusions for uncategorized sessions:
tls exclusions predefined-category <name>Set a predefined category from the list. Spaces not allowed.
tls exclusions predefined-category=['name']> action (decrypt|no-decrypt)>Allow or prohibit SSL exclusion for this category:
Example:
ngfw> tls exclusions predefined-category banks
ngfw> tls exclusions predefined-category=['banks']> action decrypt
ngfw> tls exclusions predefined-category=['banks']> exit
show tls exclusions predefined-categoriesShow information about SSL exclusions for all categories.
Example output:
ngfw> show tls exclusions predefined-categories
{ "ngfw-tls:tls": { "predefined-ssl-category": [ { "category": "adult", "action": "decrypt" }, { "category": "pornography-erotic", "action": "decrypt"
},
tls exclusions trusted-domains-enabled (enabled|disabled)Enable or disable trusted domain names.
tls exclusions trusted-domains-log (enabled|disabled)Enable or disable logging of occurrences of trusted domains.
[no] tls trusted trusted-certificates <name>Delete trusted CA certificate or go to the menu for adding a trusted CA certificate to be used for verifying the trust of server certificate in SSL. A CA certificate is identified by a unique <name>.
tls trusted trusted-certificates=['name']> load <path>Load the body of trusted CA certificate from a file with full <path>. The certificate is stored in a PEM file. A successfully loaded file can be deleted by the user.
Example:
ngfw> tls trusted trusted-certificates ca
ngfw> tls trusted trusted-certificates=['ca']> load /tmp/certificate.crt
ngfw> tls trusted trusted-certificates=['ca']> exit
show tls trusted trusted-certificatesShow information about all loaded trusted certificates.
Example output:
ngfw> show tls trusted trusted-certificates
{ "ngfw-tls:tls": { "trusted-certificates": [ { "id": "c9b6ace2-2d3a-4efd-acd8-5666d3b36878", "name": "ca", "certificate-body": "-----BEGIN CERTIFICATE-----\u000AMIIDfzCCAmegAwIBAgIJQQAAAAFlu2Y3MA0GCSqGSIb3DQEBCwUAMFQxGTAXBgNV\u000ABAoMEEFPIEthc3BlcnNreSBMYWIxNzA1BgNVBAMMLkthc3BlcnNreSBBbnRpLVZp\u000AcnVzIFBlcnNvbmFsIFJvb3QgQ2VydGlmaWNhdGUwHhcNMTQwMjAzMDkzNjU1WhcN\u000AMzQwMTI5MDkzNjU1WjBUMRkwFwYDVQQKDBBBTyBLYXNwZXJza3kgTGFiMTcwNQYD\u000AVQQDDC5LYXNwZXJza3kgQW50aS1WaXJ1cyBQZXJzb25hbCBSb290IENlcnRpZmlj\u000AYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA12GklrKSC+v7o/ep\u000At8VfPO3ZpKwdpcK1RRubl5Q3lWIMxnewdFNhhW5jWFAtufXgR/WhoYwB+s1UeJKg\u000AaBO/9Yls8dvLd4ddeclQNbQkhwMh69vxF3GlxN6Suny8aLBvxaBVi+3iHvTlHQY9\u000AALuN/Sm7ZJf6WyyMhqMqXBoM+tHehrMoHd70bwgtDw38l7svI6vzRjApFCtcfc/L\u000Ad/yDFDfMszi6mgEA4uuTlE3n0zGNg5QGf+0gttz85Vk2tmuIv1dKg0Z/o1OqsBPf\u000AAoLiO5AuM/dh0I73bTi4M3s7SfNiEEXGI6+Heq11r8MA0SpLQACU4R/vVftFUl91\u000AFcPsfQIDAQABo1QwUjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRxvTT8ZOhS\u000AwLf9PJz768tnlAmIFjALBgNVHQ8EBAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEw\u000ADQYJKoZIhvcNAQELBQADggEBAL5FIIa69NN3EQNUjYFsYr7TtdjzzuYSpRayengj\u000A63VFynPIfzcXVRqG0lUwhaXv7VahofZxoaFdmI4naDPZ19W1KQmVksYM01nveoFP\u000Akt/wcZlmx+0iObOfVdxk8PPQWcHkmkvD13ngdI14bbnjgoUqHMSLrSEkRIWzIOE3\u000AENDEsfvfxzbrNAuQftEYowUsQ60D1FPY8W2N0Hz4mMN/1hM5JkrVZMhBGvF1hJHW\u000AdOhG1hff3E1rJdc7RtwniRHeLOA44JJCTHRy83Ii5MFqcGJvWGb3VHj9ylfQuF2N\u000AFRYSnFE73oYMJVPulRrsN6RjpZJonAFeVoDe+Kw79791dQA=\u000A-----END CERTIFICATE-----\u000A\u000A" } ] }
}
[no] tls trusted trusted-domains <mask>Add (or remove, if no) domain mask to/from the list of exclusions from scanning.
Example:
tls trusted trusted-domains kaspersky.ru
tls trusted trusted-domains sberbank.ru
show tls trusted trusted-domainsShow information about all domain masks excluded from scanning.
Example output:
ngfw> show tls trusted trusted-domains
{ "ngfw-tls:tls": { "trusted-domains": [ "kaspersky.ru", "sberbank.ru" ] }
}
tls trusted trusted-root <path>Upload trusted root CA certificate (and its private key for SSL/TLS MITM) to be used to verify the trust of the server certificate in SSL MITM. A CommonName (CN) must be specified in the certificate.
Example:
tls trusted trusted-root /tmp/cert.pem
no tls trusted trusted-rootDelete all uploaded root certificates.
tls trusted untrusted-root <path>Upload untrusted root CA certificate (and its private key for SSL/TLS MITM) to be used if an error occurs while certificate verification is enabled and the allow action is selected. A CommonName (CN) and an OrganizationName (O) must be specified in the certificate.
Example:
tls trusted untrusted-root /tmp/cert.pem
clear tls trusted trusted-domainsDelete all domain masks excluded from scanning.
clear tls trusted trusted-certificatesDelete all uploaded trusted certificates.