Procedure

Before you begin

If you upgraded from a release that did not have SSL decryption policies, but you had configured the identity policy with active authentication rules, the SSL decryption policy is already enabled. Ensure that you select the Decrypt Re-Sign certificate you want to use, and optionally enable pre-defined rules.

Review Configuring SSL Decryption Policies if you have not already.

Procedure


Step 1

In the left pane, click Security Devices.

Step 2

Click the Devices tab to locate the device or the Templates tab to locate the model device.

Step 3

Click the FTD tab and the device for which you want to enable the SSL Decryption policy.

Step 4

Click Policy in the Management pane at the right.

Step 5

Click SSL Decryption in the policy bar.

Step 6

Click the SSL Decryption toggle in the SSL bar to enable the SSL Decryption policy.

  • If this is the first time you enabled the policy, read the description of Decrypt Known-Key and Decrypt Re-Sign SSL decryption and click enable.

  • If you have already configured the policy once and then disabled it, the policy is simply enabled again with your previous settings and rules. You can click the SSL decryption configuration button Configure Certificates for Known Key and Re-Sign Decryption and configure settings as described in .

Step 7

For Select Decrypt Re-Sign Certificate, select the internal CA certificate to use for rules that implement decryption with re-signed certificates.

You can use the pre-defined NGFW-Default-InternalCA certificate, or one that you created or uploaded. If the certificate does not yet exist, click Create to add an FDM-managed device internal CA certificate.

If you have not already installed the certificate in client browsers, click the download button to obtain a copy. See the documentation for each browser for information on how to install the certificate. Also see Downloading the CA Certificate for Decrypt Re-Sign Rules.

Step 8

Click Save.

Step 9

Continue with Configure the Default SSL Decryption Action to set the default action for the policy.