SSL-DPI Client
Chechler_2
Newbie ✭
I have a TZ570, which interfaces do I need to enable? Just the LAN? Going to implement CFS with our CA root certificate
Category: Mid Range Firewalls
0
Best Answers
-
CORRECT ANSWER
BWC
Cybersecurity Overlord ✭✭✭
@Chechler_2 as mentioned above, Client DPI-SSL should be enabled on the LAN Zone (it's enabled per Zone) and globally in the DPI-SSL settings.
--Michael@BWC
1 -
CORRECT ANSWER
MitatOnge
All-Knowing Sage ✭✭✭✭
Which one do you want to decrypt packets? İf you want to LAN traffic, you should enable on the lan zone client dpi SSL service check box1
Answers
@Chechler_2 I guess we're talking about Client DPI-SSL and this has to be enabled on Policy -> DPI-SSL -> Client SSL and in the Zone you like to have the encrypted traffic inspected, e.g. LAN.
For obvious reasons I would not import the company CA cert, this should be kept away from any device except the CA server. I would go with a Sub CA for DPI-SSL, but you have to distribute this Sub CA to your clients as well, because the Firewall is not able to return the whole certificate chain.
--Michael@BWC
Hi @Chechler_2
you can find out below link about certificate installation details.
@BWC
Thanks again for your quick responses. Certificate statement understood. I still will like to know which interface(s) (WAN, LAN, WIFI, etc) to enable the Deep Packet Inspection.
@MitatOnge
Thanks for the link to the article, very helpful. As I mentioned above, I was wondering which Interface(s) (WAN,LAN,WIFI,etc) need to be enabled for the Deep Packet Inspection.