Decryption needs to be configured if you need FlexVNF to inspect encrypted traffic. Without decryption, deep packet inspection cannot be achieved by flexvnf for https traffic.
This document illustrates decryption configuration for both decryption types: “Forward Proxy” and “Full Proxy”.
- Create a key
- Create SSL Certificate.
- Configure decryption profile.
Configuring decryption type as SSL Forward Proxy or Full as per requirement:
- Configuring Secure Web Proxy. Only applicable to “SSL Full Proxy”:
“SSL Full Proxy” requires configuring “Secure Web Proxy”. Listen port is 443 as we are interested to listen and decrypt/encrypt HTTPS traffic. Routing Instance is the source of https traffic.
SSL Full proxy has two options: Transparent and Explicit. In Explicit mode we need to specify IP address of the LAN interface and the SNAT Pool.
- Configuring decryption Policy
- Configuring Decryption rule.
- Export/download the certificate which will later be installed to the browser.
- Copy ssl certificate to your host machine and change the file type to .cer and finally double click on the file to install it.
- Place the certificate to “Trusted Root Certificate Authorities”.
- Verify your configuration with the following:
- Browse any https site and click on the key icon which is located beside the URL bar and click on “Certificate(Valid)”. You will see that ssl certificate is the one we have created.
- On the branch cli, use these commands and ensure hit count increments.
show orgs org-services org1-sub security decryption-policies rules decrypt-policy-stats
show orgs org-services org1-sub security profiles decrypt profile-stats decryption-profile1
