Configuring TLS Inspection with Aviatrix PaaS
TLS inspection allows security tools to inspect network traffic for potential threats and implement security policies.
Also called TLS inspection or HTTPS inspection, TLS inspection is a security process in which data is decrypted, inspected, and re-encrypted over a TLS-secured HTTPS connection. In Aviatrix PaaS, inspection and policy enforcement occur within Aviatrix gateways.
With TLS inspection, you can also apply filtering policies based on specific URLs. This allows you to identify internet-bound traffic to be blocked or allowed.
| Non-TLS or non-HTTP traffic will not match the rule that specifies the URLs, but you can create other rules for evaluating that traffic. |
If TLS inspection is enabled for proxy, you must upload your own valid CA certificate to Aviatrix PaaS.
To configure TLS inspection for proxy with URL filtering, complete the following:
-
Create a WebGroup based on URLs for which you want traffic assessed.
-
Create a Distributed Cloud Firewall egress rule, with the following options:
-
Select the URL WebGroup to associate with the rule.
-
Enable the TLS Decryption option on the rule.
-
Select either TCP or Any for the protocol.
-
-
Upload your own valid CA certificate to Aviatrix PaaS.
-
The certificate must be trusted by all the virtual machines on the source SmartGroup you selected for the egress rule.
-
When you create a rule with TLS inspection, you must select the protocol as TCP or Any, and