Creating a decryption rule

For the action from the created rule to be applied to traffic, you need to enable the decryption of encrypted connections.

You can create up to 1024 decryption rules. When this limit is reached, a warning is displayed.

To create a decryption rule:

  1. In the main menu of the Open Single Management Platform Console, go to the Application & Services → NGFW section.

    This opens the Policy tab.

  2. In the SSL Inspection section, select Decryption rules.
  3. In the upper part of the workspace, click the Create button.

    This opens the decryption rule creation window.

    A unique number (UUID) is automatically assigned to the rule.

  4. Go to the General section and follow these steps:
    1. If you want to apply the rule immediately after adding it, leave the Status toggle switch in the On position. If you do not want to apply the rule, set the toggle switch to Off. By default, the toggle switch is set to On.
    2. In the Name field, enter a name for the new rule.

      The name of the rule must be unique among all rules. The maximum length is 128 characters.

    3. If necessary, in the Description field, enter an arbitrary description of the rule.

      The maximum length is 256 characters.

    4. If you want to change the priority of the created rule, in the Priority field, specify the position of the rule in the table.

      By default, the rule is added to the end of the table, just in front of the default rule.

    5. Select the action to be applied to traffic that matches the criteria of this rule:
      • Decrypt to decrypt traffic transmitted over encrypted protocols.
      • Don't decrypt to not decrypt traffic transmitted over encrypted protocols.

      By default, the Decrypt action is selected for a new rule.

  5. If you want to configure filtering by source qualifier, go to the Source section and follow these steps:
    1. Configure the qualifier by selecting Custom.

      The Any option is selected by default.

    2. Select the tab of the source type that you want to add:
      • Addresses. You can add and, if necessary, modify an existing address, or create a new address:
        • To add an existing address to the rule, set the toggle switch next to the relevant address to On. You can modify an existing address by selecting the check box next to it and clicking the Edit button.
        • To add multiple existing addresses, select the check boxes next to the relevant addresses and click Use in rule.
        • To create a new address, click Create. Select the type of the address (host, address range, subnet, or GeoIP) and enter the IP addresses. Then click Create.

        For details about creating and editing addresses, see the section about address management.

        The address is displayed or updated in the list of addresses on the Addresses tab.

      • Security zones. You can add and, if necessary, modify an existing security zone, or create a new network object:
        • To add the default security zone or an existing security zone to the rule, set the toggle switch next to the relevant security zone to On You can modify an existing security zone by selecting the check box next to it and clicking the Edit button. For default security zones, you can only edit the description.
        • To add multiple existing security zones, select the check boxes next to the relevant security zones and click Use in rule.
        • To create a new security zone, click Create. Enter a title and a description. Then click Create.

        You can add up to 1000 security zones to a rule.

        For details about creating and editing security zones, see the section about security zone management.

        The security zone is displayed or updated in the table in the Security zones section.

        You can only add security zone of the same type, L2 or L3. If you have added one or more security zones of one type to a rule (in the Source or in the Destination section), the table displays only security zones of the same type (for example, only L2 type zones). Zones of different types are hidden. You cannot add these to a rule until you remove all security zones of the different type from the rule. This limitation applies only if you selected the Custom option to manage qualifier settings.

        The rule is applied to traffic only if the source interface of the device is added to the zone specified in the rule as the source, and the destination interface is added to the zone specified in the rule as the destination.

    You can add up to 16 records of different types to a rule.

  6. If you want to configure filtering by destination qualifier, go to the Destination section. The address and security zone settings in this section are similar to those in the Source section.

    You can add up to 16 records of different types to a rule.

  7. If you want to configure filtering by service qualifier, go to the Services section and follow these steps:
    1. Configure the qualifier by selecting Custom.

      The Any option is selected by default.

    2. Add an existing service from the list, create a new service, or modify an existing service:
      • To add an existing service to the rule, in the row with the relevant service, enable the toggle switch in the Used in rule column. You can modify an existing service by clicking its name.
      • To add multiple existing services, select the check boxes next to the relevant services and click Use in rule.
      • To create a new service, click Create. Enter a name and a description, add the protocol, configure the required protocol settings, and click Create.

      You can add up to 16 services of different types to a rule.

      For details about creating and modifying services, see the Services section.

      The service is displayed or updated in the list of services on the Services tab.

      If protocols other than TCP have been added to the service, these protocols are ignored for decryption rules.

  8. Save the rule by clicking Create.

    The new rule is added to the list.

  9. Apply the OSMP policy changes by clicking the Commit and push button.

The new decryption rule does not apply to sessions established before this decryption rule was created.

Page top