Create a Decryption Policy with Inbound Connection Protection

This task discusses how to create a decryption policy with a rule that protects inbound connections; that is, the destination server is inside your protected network. This type of rule has a Decrypt - Known Key rule action.

When you create a decryption policy, you can create multiple rules at the same time, including multiple Decrypt - Known Key rules and multiple Decrypt - Resign rules.

Before you begin

You can optionally must upload an internal certificate for your internal server before you can create a decryption policy that protects inbound connections. You can do this in any of the following ways:

  • Create an internal certificate object by going to Objects > Object Management > PKI > Internal Certs and referring to PKI.

  • At the time you create this decryption policy.

If you enabled Change Management, you must create and assign a ticket before you can create a decryption policy. Before the decryption policy can be used, the ticket and all associated objects (like certificate authorities) must be approved. For more information, see Creating Change Management Tickets and Policies and Objects that Support Change Management.

Procedure


Step 1

Log in to Security Cloud Control if you haven't already done so.

Step 2

Click Tools & Services > Firewall Management Center > Policies > Access Control > Decryption.

Step 3

Click Create Decryption Policy.

Step 4

Give the policy a unique Name and, optionally, a Description.

Step 5

From the Internal CA list, upload or choose certificates for the rules.

For more information about internal CA certificates, see Internal Certificate Authority Objects.

Step 6

(Optional.) Choose networks and ports.

Step 7

Click the Inbound Connections tab.

Your decryption policy can cover outbound servers with a Decrypt - Resign rule or inbound servers with a Decrypt - Known Key rule.

Step 8

Click Next.

Step 9

Continue with Decryption Policy Exclusions.


What to do next