Decryption Profile

A decryption profile is used by the Multicloud Defense Gateway in a reverse proxy or forward proxy scenario. When a connection is proxied, the front-end session is terminated on the gateway and a new back-end session is established to the server. The intention of this termination is to decrypt and inspect the traffic to protect against malicious activity. In order to decrypt encrypted traffic, a decryption profile is necessary.

TLS Versions in your Decryption Profile

The Multicloud Defense Gateway supports all TLS versions (TLS 1.3, TLS 1.2, TLS 1.1, TLS 1.0). Users can specify a minimum TLS version to use and Multicloud Defense Gateway will negotiate a TLS version that is equal to or higher than the specified minimum TLS version. The gateway always uses the highest TLS version possible combined with the strongest cipher suite during the TLS negotiation. In the case where the Multicloud Defense Gateway cannot negotiate a version that meets the minimum TLS version specified, the gateway drops the session and logging a TLS_ERROR event.

Note

Only a single minimum TLS version can be applied to a gateway. A consistent minimum TLS version must be used across all decryption profiles referenced by all service objects that are used within a policy ruleset or policy ruleset group. If different minimum TLS versions are specified, the minimum TLS version that will be applied cannot be predetermined.

Cipher Suites

The Multicloud Defense Gateway supports a set of default and user-selectable cipher suites. The default set are PFS cipher suites that are always selected. The user-selectable set are Diffie-Hellman and PKCS (RSA) cipher suites that can be selected by the user. The combined set of cipher suites (default and user-selected) are used by the gateway for establishing a secure front-end encrypted session. The client will send an ordered list of preferred cipher suites. The gateway will respond with a cipher suite chosen from the ordered set submitted by the client and the set available by the gateway. If the client allows the server to define the order, then the cpher suite chosen is from the ordered set available by the gateway and the set submitted by the client.

With version 24.10 and later, the Multicloud Defense Controller assists the creation of your decryption profile by auto-selecting the strongest cipher suites once you've chosen the minimum TLS version. Note that both the Multicloud Defense Controller and the Multicloud Defense Gateway must be running at least version 24.10. Older gateway versions do not support this automated help feature and you cannot edit the ciphers suites of an existing decrpytion profile. We strongly recommend updating your gateway to match at least version 24.10 to take advantage of this functionality.

The following is an ordered list of cipher suites supported by the gateway and available in a decryption profile:

Category

Cipher Suite

Key Exchange

Cipher

Hash

Default

PFS

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA

AES256-GCM

SHA384

PFS

ECDHE-RSA-AES256-CBC-SHA384

ECDHE-RSA

AES256-CBC

SHA384

Diffie-Hellman

DH-RSA-AES256-GCM-SHA384

DH-RSA

AES256-GCM

SHA384

PFS

DHE-RSA-AES256-GCM-SHA384

DHE-RSA

AES256-GCM

SHA384

PFS

DHE-RSA-AES256-CBC-SHA256

DHE-RSA

AES256-CBC

SHA384

PFS

DHE-RSA-AES256-CBC-SHA

DHE-RSA

AES256-CBC

SHA

Diffie-Hellman

DH-RSA-AES256-SHA256

DH-RSA

AES256-CBC

SHA256

Diffie-Hellman

DH-RSA-AES256-SHA

DH-RSA

AES256-CBC

SHA160

PKCS (RSA)

AES256-GCM-SHA384

PKCS-RSA

AES256-GCM

SHA384

PKCS (RSA)

AES256-SHA256

PKCS-RSA

AES256-CBC

SHA256

PKCS (RSA)

AES256-SHA

PKCS-RSA

AES256-CBC

SHA160

PFS

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-RSA

AES128-GCM

SHA256

PFS

ECDHE-RSA-AES128-CBC-SHA256

ECDHE-RSA

AES128-CBC

SHA256

Diffie-Hellman

DH-RSA-AES128-GCM-SHA256

DH-RSA

AES128-GCM

SHA256

PFS

DHE-RSA-AES128-GCM-SHA256

DHE-RSA

AES128-GCM

SHA256

PFS

DHE-RSA-AES128-CBC-SHA256

DHE-RSA

AES128-CBC

SHA256

Diffie-Hellman

DH-RSA-AES128-SHA256

DH-RSA

AES128-CBC

SHA256

Diffie-Hellman

DH-RSA-AES128-SHA

DH-RSA

AES128-CBC

SHA160

PKCS (RSA)

AES128-GCM-SHA256

PKCS-RSA

AES128-GCM

SHA256

PKCS (RSA)

AES128-SHA256

PKCS-RSA

AES128-CBC

SHA256

PKCS (RSA)

AES128-SHA

PKCS-RSA

AES128-CBC

SHA160

PFS

ECDHE-RSA-DES-CBC3-SHA

ECDHE-RSA

DES-CBC3

SHA

PFS

ECDHE-RSA-RC4-SHA

ECDHE-RSA

RC4

SHA

PKCS (RSA)

RC4-SHA

PKCS-RSA

RC4

SHA160

PKCS (RSA)

RC4-MD5

PKCS-RSA

RC4

SHA160