Kaspersky NGFW can scan both unencrypted and encrypted traffic. Unencrypted traffic is scanned using standard traffic rules. Encrypted traffic is not scanned by default. To process encrypted traffic, you need to configure the decryption of TLS/SSL connections. If decryption is not enabled, Web Control, Anti-Virus, and IDPS cannot scan network traffic transmitted over encrypted connections.
Encrypted traffic is scanned using the MITM (man-in-the-middle) mechanism, that is, certificate spoofing. For this purpose, Kaspersky NGFW uses an uploaded trusted certificate to decrypt and scan network traffic before it is transmitted to the client. The client must trust the Kaspersky NGFW certificate; to achieve this, the certificate must be added to trusted certificates on computers of users.
To scan each new TLS connection, a new certificate is issued, which is signed by the uploaded trusted certificate. If the server certificate is invalid, you can also allow traffic from that server. To do so, you need to upload an untrusted certificate to be used for signing the certificate that is given to the client.
You can also enable verification of server certificates and configure the actions to be applied to the session based on verification results. In this case, you need to add a list of trusted server certificates on the command line using the load command inside the tls trusted trusted-certificates=['<СА certificate name>'] command from the tls family of commands. For a description of command families and a link to the complete list of Kaspersky NGFW configuration commands, see the Managing Kaspersky NGFW using the command line document.
A list of trusted server certificates can only be added on the command line.
Some traffic cannot be decrypted. For some websites, encrypted connections are not scanned even after installing trusted certificates. Such websites mainly include websites with medical information, finances, as well as Kaspersky domains. The list of such websites is provided by Kaspersky.
Decryption of network traffic greatly slows down Kaspersky NGFW during analysis.
Decryption of SSL connections involves the following steps:
Add the certificate to computers of users.