Friday, August 10, 2018

Forcepoint NGFW TLS inspection review

Forcepoint NGFW supports both client and server side  TLS decryption. A few things to  be aware of when you compare it to other  systems like FortiOS and PANOS

1st:  You can't  use multiple client-side TLS decryption profiles at  the same time on the same firewall engine

2nd: You have to  set the  certificate issuer  CA-root cert as a trustedCA if you import a PKI-CA-cert into the  SMC

3rd:   they take a totally  different approach and define a certificate lifetime in duration for the MiTM forged certificate. This value seems to be defaulted to 120min regardless of the CA root life time value which defaults to  1 year

4th; you don't have  the means like in PANOS to opt-out of TLS inspection or provide a notice to the  end-user


And lastly, you have to use a HTTPS   with decryption service in the policy access.rule


e.g









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \

No comments:

Post a Comment