Kaspersky NGFW can scan both unencrypted and encrypted traffic. Unencrypted traffic is scanned using standard traffic rules. Encrypted traffic is not scanned by default. To process encrypted traffic, you need to configure the decryption of TLS/SSL connections. If decryption is not enabled, Web Control, Anti-Virus, and IDPS cannot scan network traffic transmitted over encrypted connections.
Encrypted traffic is scanned using the MITM (man-in-the-middle) mechanism, that is, certificate spoofing. For this purpose, Kaspersky NGFW uses an uploaded trusted certificate to validate the certificate of the server and decrypt network traffic before it is transmitted to the client. After that, Kaspersky NGFW encrypts the traffic using its own certificate and forwards it to the client. The client must trust the Kaspersky NGFW certificate; to achieve this, the certificate must be added to trusted certificates on computers of users.
When a TLS connection is established with a client, a new certificate is issued, which is signed by the uploaded trusted or untrusted certificate. If the server certificate is invalid or did not pass the trust check, you can also allow traffic from that server. To do so, you need to upload an untrusted certificate to be used for signing the certificate that is given to the client.
Some traffic cannot be decrypted. For some websites, encrypted connections are not scanned even after installing trusted certificates. Such websites mainly include websites with medical information, finances, as well as Kaspersky domains. The list of such websites is provided by Kaspersky.
Decryption of network traffic greatly slows down Kaspersky NGFW during analysis.
Decryption of SSL connections involves the following steps:
Add the certificate to computers of users.