Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to configure the IDP SSL Inspection feature

0

0

Article ID: KB24803 KB Last Updated: 29 Jul 2020Version: 3.0
Summary:

This article provides information on how to configure the IDP SSL Inspection feature on high-end SRX platforms

Symptoms:

IDP SSL Inspection: Secure Sockets Layer (SSL) is a protocol suite that consists of different versions, ciphers, and key exchange methods. The SSLv2, SSLv3, and TLS protocols are supported.

Combined with the Application Identification feature, the SSL Inspection feature enables SRX-series devices to inspect HTTP traffic that is encrypted in SSL on any TCP/UDP port. By default, SSL inspection is disabled and can be enabled by using the configuration CLI.

To display all installed keys and associated servers, use the show security idp ssl-inspection key command.

Note: This feature is supported on SRX 1400, 3400, 3600, 5400, 5600, and 5800.

For more information, refer to the technical documentation on IDP SSL Inspection.

Solution:

Currently, SRX devices support SSL Inspection only for servers that it has the private key for. This is useful for inspecting the SSL traffic that is destined to your servers.

Installing the Private Key:

To install the private key for a server, transfer the key to the SRX and then run the following command:

user@SRX> request security idp ssl-inspection key add test-key file /var/tmp/private.pem server 10.10.10.1 password test-case

This command will install the private key (named as test-key), associate it with the 10.10.10.1 server, and encrypt it with the test-key password.  A server can be associated only with a single key.
For more information, refer to the technical documentation on Configuring an IDP SSL Inspection (CLI Procedure).

View the installed keys:

user@SRX> show security idp ssl-inspection key
Total SSL keys : 1
SSL server key and ip address :
     Key : test-key, server : 10.10.10.1

Configuring SSL Inspection:

After installing the private key, SSL inspection has to be enabled. The following configuration sets the SRX device to inspect 10,000 sessions at a time. The session count is used, so that SSL Decryption is limited and does not overwhelm the device:

security {
    idp {
        sensor-configuration {
            ssl-inspection {
                sessions 10000;
            }
        }
    }
}
For more information, refer to the technical documentation on Configuring an IDP SSL Inspection (CLI Procedure).

After SSL Inspection is enabled, set up a policy to inspect it:

security {
    policies {
        from-zone 1 to-zone 2 {
            policy SSL-test {
                match {
                    source-address any;
                    destination-address server;
                    application junos-https;
                }
                then {
                    permit {
                        application-services {
                            idp;
                        }
                    }
                }
            }
        }
    }
}
Modification History:
2020-07-28: Updated links to technical documentation.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search