Knowledge Articles & Software

Page 1 of 4

How do I inspect HTTPS traffic? [Fireware XTM v11.4.x]
Question

How do I inspect HTTPS traffic? [Fireware XTM v11.4.x] Many web sites use both the HTTP and HTTPS protocols to send information to users. While HTTP traffic can be examined easily, HTTPS traffic is encrypted. To examine HTTPS traffic requested by a user on your network, you must configure your XTM device to decrypt the information and then encrypt it with a certificate the user trusts. By default, the XTM device re-signs the content it has inspected with a self-signed certificate. Users without a copy of this certificate see a certificate warning when they connect to a secure web site with HTTPS. If the remote web site uses a certificate that is expired, or if the certificate is signed by a CA (Certificate Authority) the XTM device does not recognize, the XTM device re-signs the content as Fireware HTTPS Proxy: Unrecognized Certificate. If your organization already has a PKI (Public Key Infrastructure) set up with a trusted CA, then you can import a certificate on the XTM device that is signed by your organization. If your organization does not have a PKI, we recommend that you copy the default, self-signed certificate from the XTM device to each client device. This document includes information about how to export a certificate from the XTM device and import it on a Microsoft Windows or Mac OS X system. To import the certificate on other devices, operating systems, or applications, see the documentation from their manufacturers. For more information about how to use certificates with Policy Manager, see About Certificates. For more information about how to use certificates with the Fireware XTM Web UI, see About Certificates.

Answer

Before You Begin
We recommend that you provide the certificate(s) used to sign HTTPS traffic to all of the clients on your network before you enable this feature. You can attach the certificates to an email with instructions, or use network management software to install the certificates automatically. Also, we recommend that you test the HTTPS-proxy with a small number of users to ensure that it operates correctly before you apply the HTTPS-proxy to traffic on a large network.

Configure the HTTPS-proxy
From Policy Manager 1. Select Edit > Add Policy.

The Add Policies dialog box appears.
2. Expand the Proxies category and select HTTPS-proxy. Click Add.

The New Policy Properties dialog box appears, with the Policy tab selected.
3. Adjacent to the Proxy Action drop-down list, click the View/Edit Proxy button.

The HTTPS Proxy Action configuration dialog box appears, with the Content Inspection category selected.
4. On the Content Inspection page, select the Enable deep inspection of HTTPS content check box. 5. From the Proxy Action drop-down list, select an HTTP-proxy action to use to inspect HTTPS content, or create a new HTTP-proxy action to use for this policy. 6. In the Certificate Validation section, select the options for OCSP certificate validation. 7. In the Bypass List text box, type the IP address a of web site for which you do not want to inspect traffic. Click Add.

The IP address appears in the Bypass List.
8. (Optional) Repeat Step 7 to add more IP addresses to the Bypass List.

http://customers.watchguard.com/articles/Article/3209/p?pubstatus=o

9/30/2011

8. From the Proxy Action drop-down list. For example. 9. For example. In the Name text box. Select Firewall > Proxy Actions. (Optional) Repeat Step 7 to add more IP addresses to the Bypass List. and other programs or services that use the Windows certificate store on Microsoft Windows XP to get access to the certificate. The Policy Configuration page appears for the HTTPS-proxy. 10. The Firewall Policies page appears. Click the green plus icon. 1.509 format.Knowledge Articles & Software Page 2 of 4 9. 3. this exports the certificate in the x. In the Bypass List text box. If you edited a predefined proxy action. Click Save. You cannot use Fireware XTM Web UI to export a certificate. you can export that certificate directly from operating system or browser certificate store. For example. A Windows Management Console appears. From Fireware XTM Web UI First. 2. From the Proxy Action drop-down list. 7. Type mmc and click OK. Click OK. Select View > Certificates. 1. edit an HTTPS-proxy action to enable deep content inspection of HTTPS content. 11.watchguard. You must use Firebox System Manager (FSM). The Edit Proxy Action page appears for the proxy action you selected. select Run. type the IP address of a web site for which you do not want to inspect traffic. Clear the Use OCSP to confirm the validity of certificates check box. The Proxy Actions page appears. Start Firebox System Manager for your XTM device. type HTTPS-Client DCI. Expand the Proxies category and select HTTPS-proxy. 1. Click OK to close the HTTPS Proxy Action Configuration dialog box. 6. Next. 2. 3. HTTP-Client.com/articles/Article/3209/p?pubstatus=o 9/30/2011 . 5. 4. 3. Select an HTTPS proxy action: HTTPS-Client or HTTPS-Server. 5. Select Firewall > Firewall Policies. select the HTTP-proxy action to use to inspect HTTPS content. 2. Click OK to close the New Policy Properties dialog box. Copy the saved certificate to the client machine. From the Windows Start Menu. 5. 10. 4. Windows and Mac OS X users can double-click an x. Type a name and select a location to save the certificate locally. The new proxy action appears in the Proxies list. Export the Certificate This procedure exports a certificate from your XTM device in PEM format. Click Add policy. 11. Expand the Content Inspection section. The Clone Proxy Action dialog box appears.509 format certificate to import it. select HTTPS-Client DCI. 6. 1. select the proxy action you added. Click Edit. Windows Update. Import a PEM Format Certificate with Windows XP This process allows Internet Explorer. Click Add. Select the Enable deep inspection of HTTPS content check box. Select the HTTPS Proxy Authority CA certificate from the list and click Export. The Select a Policy Type page appears. http://customers. If you have previously imported the certificate on a client. Click Closeto close the Add Policies dialog box. 4. you must clone your changes to a new proxy action before you can save them and apply them to a proxy policy. In most cases. Click Save. type a new name for the proxy action. add an HTTPS-proxy that uses the proxy action you added.

type certmgr. 10.com/articles/Article/3209/p?pubstatus=o 9/30/2011 . When you have more than one XTM device that uses a self-signed certificate for HTTPS content inspection. you can select the System keychain and drag and drop the certificate file into the list. From the Action menu. 7. Click Next. 3. Select Computer account and click Next. 5. We recommend that you replace the default self-signed certificates with a certificate signed by a different CA. Restart Mozilla Firefox. 7. http://customers. and OK to add the certificates module.5 This process allows Safari and other programs or services that use the Mac OS X certificate store to get access to the certificate. Click Next. 6. Browse to and select the certificate file and click Open. Import a PEM Format Certificate with Mozilla Firefox 3. and Mozilla Firefox only recognizes the first certificate you import when more than one certificate has the same name. Select the Trusted Root Certification Authorities object. Expand the Trusted Root Certification Authorities object. Under the Trusted Root Certification Authorities object.x Mozilla Firefox uses a private certificate store instead of the operating system's certificate store. 1. the default self-signed XTM device certificates use the same name. Click Add. Or. and other programs or services that use the Windows certificate store on Microsoft Windows Vista to get access to the certificate. select Tools > Options. right-click Certificates and select All Tasks > Import. 2. then click Finish to complete the wizard. select All Tasks > Import. Click Browse to find and select the HTTPS Proxy Authority CA certificate you previously exported. 2. 1. Select the Encryption tab and click View Certificates. Select the Authorities tab. Click OK twice to close the Certificate Manager and Options dialog boxes. 9. On the Downloading Certificate dialog box.msc in the Search text box and press Enter. The Certificate Manager window appears. click the plus icon [+] to expand the Certificates tree. Click Finish. Select Certificatesand click Add. 8. On the Windows Start Menu. then click Import. 8. 2. However. The Options window appears. you must import the certificate into the Firefox certificate store even if you have already imported the certificate on the host operating system. Windows Update. clients on your network must import a copy of each XTM device certificate. Import a PEM Format Certificate with Windows Vista This process allows Internet Explorer. 5. Click Next. 4. Select the Certificates category from the list on the left side of the window. Click the plus icon on the lower toolbar. Import a PEM Format Certificate with Mac OS X 10. 6. If you are prompted to authenticate as an administrator. 1. and then distribute those CA certificates to each client. Select the System keychain. Click OK. 2.watchguard. 3. Click Next. then click Open. Click Advanced. Close. From the Firefox menu bar.Knowledge Articles & Software Page 3 of 4 Select File > Add/Remove Snap-In. then find and select the certificate. Open the Keychain Access application. 4. Click Browse to find and select the HTTPS Proxy Authority CA certificate you previously exported. select the Trust this CA to identify web sites check box and click OK. 4. If clients on your network use the Firefox browser. Click OK. 5. 3. 4. then clickFinish to complete the wizard. type your password or confirm your access. In the Console Root window. 3.

From the When using this certificate drop-down list. 7.com/articles/Article/3209/p?pubstatus=o 9/30/2011 . Right-click the certificate and select Get Info. Expand the Trust category. Close the certificate information window. Attachments http://customers.Knowledge Articles & Software Page 4 of 4 5. Type your administrator password to confirm your changes. 8. see Manage XTM Device Certificates.watchguard. For more information about how to use certificates with the Web UI. For more information about how to use certificates with FSM. select Always Trust. 6. A certificate information window appears. see Manage XTM Device Certificates.

Sign up to vote on this title
UsefulNot useful