Knowledge Articles & Software

Page 1 of 4

How do I inspect HTTPS traffic? [Fireware XTM v11.4.x]

Question

How do I inspect HTTPS traffic? [Fireware XTM v11.4.x] Many web sites use both the HTTP and HTTPS protocols to send information to users. While HTTP traffic can be examined easily, HTTPS traffic is encrypted. To examine HTTPS traffic requested by a user on your network, you must configure your XTM device to decrypt the information and then encrypt it with a certificate the user trusts. By default, the XTM device re-signs the content it has inspected with a self-signed certificate. Users without a copy of this certificate see a certificate warning when they connect to a secure web site with HTTPS. If the remote web site uses a certificate that is expired, or if the certificate is signed by a CA (Certificate Authority) the XTM device does not recognize, the XTM device re-signs the content as Fireware HTTPS Proxy: Unrecognized Certificate. If your organization already has a PKI (Public Key Infrastructure) set up with a trusted CA, then you can import a certificate on the XTM device that is signed by your organization. If your organization does not have a PKI, we recommend that you copy the default, self-signed certificate from the XTM device to each client device. This document includes information about how to export a certificate from the XTM device and import it on a Microsoft Windows or Mac OS X system. To import the certificate on other devices, operating systems, or applications, see the documentation from their manufacturers. For more information about how to use certificates with Policy Manager, see About Certificates. For more information about how to use certificates with the Fireware XTM Web UI, see About Certificates.

Answer

Before You Begin

We recommend that you provide the certificate(s) used to sign HTTPS traffic to all of the clients on your network before you enable this feature. You can attach the certificates to an email with instructions, or use network management software to install the certificates automatically. Also, we recommend that you test the HTTPS-proxy with a small number of users to ensure that it operates correctly before you apply the HTTPS-proxy to traffic on a large network.

Configure the HTTPS-proxy

From Policy Manager 1. Select Edit > Add Policy.

The Add Policies dialog box appears.

2. Expand the Proxies category and select HTTPS-proxy. Click Add.

The New Policy Properties dialog box appears, with the Policy tab selected.
3. Adjacent to the Proxy Action drop-down list, click the View/Edit Proxy button.

The HTTPS Proxy Action configuration dialog box appears, with the Content Inspection category selected.
4. On the Content Inspection page, select the Enable deep inspection of HTTPS content check box. 5. From the Proxy Action drop-down list, select an HTTP-proxy action to use to inspect HTTPS content, or create a new HTTP-proxy action to use for this policy. 6. In the Certificate Validation section, select the options for OCSP certificate validation. 7. In the Bypass List text box, type the IP address a of web site for which you do not want to inspect traffic. Click Add.

The IP address appears in the Bypass List.

8. (Optional) Repeat Step 7 to add more IP addresses to the Bypass List.

http://customers.watchguard.com/articles/Article/3209/p?pubstatus=o

9/30/2011

Knowledge Articles & Software

Page 2 of 4

9. Click OK to close the HTTPS Proxy Action Configuration dialog box. 10. Click OK to close the New Policy Properties dialog box. 11. Click Closeto close the Add Policies dialog box. From Fireware XTM Web UI First, edit an HTTPS-proxy action to enable deep content inspection of HTTPS content. 1. Select Firewall > Proxy Actions.

The Proxy Actions page appears.

2. Select an HTTPS proxy action: HTTPS-Client or HTTPS-Server. Click Edit.

The Edit Proxy Action page appears for the proxy action you selected.
3. Expand the Content Inspection section. 4. Select the Enable deep inspection of HTTPS content check box. 5. From the Proxy Action drop-down list, select the HTTP-proxy action to use to inspect HTTPS content. For example, HTTP-Client. 6. Clear the Use OCSP to confirm the validity of certificates check box. 7. In the Bypass List text box, type the IP address of a web site for which you do not want to inspect traffic. Click Add. 8. (Optional) Repeat Step 7 to add more IP addresses to the Bypass List. 9. Click Save.

If you edited a predefined proxy action, you must clone your changes to a new proxy action before you can save them and apply them to a proxy policy. The Clone Proxy Action dialog box appears.
10. In the Name text box, type a new name for the proxy action. For example, type HTTPS-Client DCI. 11. Click OK.

The new proxy action appears in the Proxies list.

Next, add an HTTPS-proxy that uses the proxy action you added. 1. Select Firewall > Firewall Policies.

The Firewall Policies page appears.

2. Click the green plus icon.

The Select a Policy Type page appears.

3. Expand the Proxies category and select HTTPS-proxy. 4. Click Add policy.

The Policy Configuration page appears for the HTTPS-proxy.

5. From the Proxy Action drop-down list, select the proxy action you added. For example, select HTTPS-Client DCI. 6. Click Save.

Export the Certificate

This procedure exports a certificate from your XTM device in PEM format. You cannot use Fireware XTM Web UI to export a certificate. You must use Firebox System Manager (FSM). 1. 2. 3. 4. 5. Start Firebox System Manager for your XTM device. Select View > Certificates. Select the HTTPS Proxy Authority CA certificate from the list and click Export. Type a name and select a location to save the certificate locally. Copy the saved certificate to the client machine.

If you have previously imported the certificate on a client, you can export that certificate directly from operating system or browser certificate store. In most cases, this exports the certificate in the x.509 format. Windows and Mac OS X users can double-click an x.509 format certificate to import it.

Import a PEM Format Certificate with Windows XP

This process allows Internet Explorer, Windows Update, and other programs or services that use the Windows certificate store on Microsoft Windows XP to get access to the certificate. 1. From the Windows Start Menu, select Run. Type mmc and click OK.

A Windows Management Console appears.

http://customers.watchguard.com/articles/Article/3209/p?pubstatus=o

9/30/2011

Knowledge Articles & Software

Page 3 of 4

Select File > Add/Remove Snap-In. Click Add. Select Certificatesand click Add. Select Computer account and click Next. Click Finish, Close, and OK to add the certificates module. In the Console Root window, click the plus icon [+] to expand the Certificates tree. Expand the Trusted Root Certification Authorities object. 8. Under the Trusted Root Certification Authorities object, right-click Certificates and select All Tasks > Import. 9. Click Next. Click Browse to find and select the HTTPS Proxy Authority CA certificate you previously exported. Click OK. 10. Click Next, then clickFinish to complete the wizard.

2. 3. 4. 5. 6. 7.

Import a PEM Format Certificate with Windows Vista

This process allows Internet Explorer, Windows Update, and other programs or services that use the Windows certificate store on Microsoft Windows Vista to get access to the certificate. 1. On the Windows Start Menu, type certmgr.msc in the Search text box and press Enter.

If you are prompted to authenticate as an administrator, type your password or confirm your access.
2. Select the Trusted Root Certification Authorities object. 3. From the Action menu, select All Tasks > Import. 4. Click Next. Click Browse to find and select the HTTPS Proxy Authority CA certificate you previously exported. Click OK. 5. Click Next, then click Finish to complete the wizard.

Import a PEM Format Certificate with Mozilla Firefox 3.x

Mozilla Firefox uses a private certificate store instead of the operating system's certificate store. If clients on your network use the Firefox browser, you must import the certificate into the Firefox certificate store even if you have already imported the certificate on the host operating system. When you have more than one XTM device that uses a self-signed certificate for HTTPS content inspection, clients on your network must import a copy of each XTM device certificate. However, the default self-signed XTM device certificates use the same name, and Mozilla Firefox only recognizes the first certificate you import when more than one certificate has the same name. We recommend that you replace the default self-signed certificates with a certificate signed by a different CA, and then distribute those CA certificates to each client. 1. From the Firefox menu bar, select Tools > Options.

The Options window appears.

2. Click Advanced. 3. Select the Encryption tab and click View Certificates.

The Certificate Manager window appears.

4. Select the Authorities tab, then click Import. 5. Browse to and select the certificate file and click Open. 6. On the Downloading Certificate dialog box, select the Trust this CA to identify web sites check box and click OK. 7. Click OK twice to close the Certificate Manager and Options dialog boxes. 8. Restart Mozilla Firefox.

Import a PEM Format Certificate with Mac OS X 10.5

This process allows Safari and other programs or services that use the Mac OS X certificate store to get access to the certificate. 1. 2. 3. 4. Open the Keychain Access application. Select the Certificates category from the list on the left side of the window. Click the plus icon on the lower toolbar, then find and select the certificate. Select the System keychain, then click Open. Or, you can select the System keychain and drag and drop the certificate file into the list.

http://customers.watchguard.com/articles/Article/3209/p?pubstatus=o

9/30/2011

Knowledge Articles & Software

Page 4 of 4

5. Right-click the certificate and select Get Info.

A certificate information window appears.

6. Expand the Trust category. From the When using this certificate drop-down list, select Always Trust. 7. Close the certificate information window. 8. Type your administrator password to confirm your changes. For more information about how to use certificates with FSM, see Manage XTM Device Certificates. For more information about how to use certificates with the Web UI, see Manage XTM Device Certificates.

Attachments

http://customers.watchguard.com/articles/Article/3209/p?pubstatus=o

9/30/2011