Server Certificate Validation in the FQDN Service Object

Invalid server certificate validation within the FQDN service object is optional. If specified it will override the behavior designated in the TLS decryption profile. If you do not specify a selection here, no additional action or override action is taken. You can use the invalid server certificate validation within the FQDN service object to block or allow traffic for a specific server that may otherwise be blocked or allowed by the TLS decryption profile.

Note that when you enable the validation check to Log, these logs are located in Investigate > Flow Analytics > HTTPS Logs.

Use the following procedure to include a server certificate validation action in a FQDN service object:

Procedure

Step 1	From the Multicloud Defense Controller, navigate to Policies > Security Policies > FQDN.
Step 2	Select the FQDN service object you want to modify.
Step 3	Edit the selected FQDN service object.
Step 4	In the list of FQDN service objects included in the ruleset, expand the Invalid Server Certificate Action drop-down menu and select one of the following options: Deny Log - Automatically drop connections that do not provide a validated server certificate and logs the incident. Deny No Log - Automatically drop connections that do not provide a validated server certificate and does not log the incident. Allow Log - Allow connections that do not provide a validated server certificate to pass and logs the incident. Allow No Log - Allow connections that do not provide a validated server certificate to pass and does not log the incident.
Step 5	Click Save.

What to do next

Ensure the FQDN service object is correctly associated with a rule or rule set. See Rule Sets and Rule Set Groups for more information.

Once the FQDN service object is successfully assocaited with a rule or rule set in your policy, confirm that the rule order within the policy is ordered in a way that supports how you want traffic processed.