User Criteria for SSL Decryption Rules

The User criteria of an SSL decryption rule defines the user or user group for an IP connection. You must configure identity policies and the associated directory server to include user or user group criteria in a rule.

Your identity policies determine whether user identity is collected for a particular connection. If identity is established, the IP address of the host is associated with the identified user. Thus, traffic whose source IP address is mapped to a user is considered to be from that user. IP packets themselves do not include user identity information, so this IP-address-to-user mapping is the best approximation available.

Because you can add a maximum of 50 users or groups to a rule, selecting groups usually makes more sense than selecting individual users. For example, you could create a rule that decrypts traffic to the Engineering group that comes from the outside network, and create a separate rule that does not decrypt outgoing traffic from that group. Then, to make the rule apply to new engineers, you only need to add the engineer to the Engineering group in the directory server.

To modify the users list, you click the + button within the condition and select the desired user groups and click Select.

Return to Step 9. "Define the traffic matching criteria"

Advanced Criteria for SSL Decryption Rules

The Advanced traffic matching criteria relate to characteristics derived from the certificates used in the connection. You can configure any or all of the following options.

Certificate Properties

Traffic matches the certificate properties option of the rule if it matches any of the selected properties. You can configure the following:

  • Certificate Status: Whether the certificate is Valid or Invalid. Select Any (the default) if you do not care about certificate status. A certificate is considered valid if all of the following conditions are met, otherwise it is invalid:

    • The policy trusts the CA that issued the certificate.

    • The certificate's signature can be properly validated against the certificate's content.

    • The issuer CA certificate is stored in the policy's list of trusted CA certificates.

    • None of the policy's trusted CAs revoked the certificate.

    • The current date is between the certificate Valid From and Valid To dates.

  • Self-Signed: Whether the server certificate contains the same subject and issuer distinguished name. Select one of the following:

  • Self-Signing—The server certificate is self-signed.

    • CA-Signing—The server certificate is signed by a Certificate Authority. That is, the issuer and subject are not the same.

    • Any—Do not consider whether the certificate is self-signed as a match criteria.

Supported Version

The SSL/TLS version to match. The rule applies to traffic that uses the any of the selected versions only. The default is all versions. Select from: SSLv3.0, TLSv1.0, TLSv1.1, TLSv1.2.

For example, if you wanted to permit TLSv1.2 connections only, you could create a block rule for the non-TLSv1.2 versions. Traffic that uses any version not listed, such as SSL v2.0, is handled by the default action for the SSL decryption policy.

Return to Step 9. "Define the traffic matching criteria"