Server Certificate Validation in the TLS Decryption Profile

When you select an action for server certificate validation within a TLS decryption profile, this action is used in all the rule sets that use this decryption profile. By default the validation action is configured to allow all traffic regardless of whether the server certificate is valid or not, and Multicloud Defense does not generate an alert within the HTTPs logs.

Note

If you enable the validation check to Log, locate the logs in Policies > Profiles > Decryption.

Use the following procedure to enable the server certificate validation in the TLS decrpytion profile:

Procedure

Step 1

From the Multicloud Defense Controller, navigate to Policies > Profiles > Decryption.

Step 2

Select the TLS decryption profile you want add the server certificate validation to. If you do not have a profile ready, create one here. See Decryption Profile for more information.

Step 3

Edit the decryption profile.

Step 4

Under the Profile Properties section, expand the Invalid Server Certificate Action drop-down.

Step 5

Select one of the following options:

  • Deny Log - This option automatically drops connections that do not provide a validated server certificate and logs the incident.

  • Deny No Log - This option automatically drops connections that do not provide a validated server certificate and does not log the incident.

  • Allow Log - This option allows connections that do not provide a validated server certificate to pass and logs the incident.

  • Allow No Log - This option allows connections that do not provide a validated server certificate to pass and does not log the incident. This is the default action selection.

Step 6

Click Save.

What to do next

Ensure the TLS decryption profile is correctly associated with a forward proxy service object. See Forward Proxy Service Object (Egress / East-West) for more information.

Once the TLS decrpytion profile is included in a service object, confirm that the rule order within the policy is ordered in a way that supports how you want traffic processed.