Decryption Profile
A decryption profile is used by the Multicloud Defense Gateway in a reverse proxy or forward proxy scenario. When a connection is proxied, the front-end session is terminated on the gateway and a new back-end session is established to the server. The intention of this termination is to decrypt and inspect the traffic to protect against malicious activity. In order to decrypt encrypted traffic, a decryption profile is necessary.
TLS Versions in your Decryption Profile
The Multicloud Defense Gateway supports all TLS versions (TLS 1.3, TLS 1.2, TLS 1.1, TLS 1.0). Users can specify a minimum TLS version to use and Multicloud Defense Gateway will negotiate a TLS version that is equal to or higher than the specified minimum TLS version. The gateway always uses the
highest TLS version possible combined with the strongest cipher suite during the TLS negotiation. In the case where the Multicloud Defense Gateway cannot negotiate a version that meets the minimum TLS version specified, the gateway drops the session and logging a TLS_ERROR
event.
Note |
Only a single minimum TLS version can be applied to a gateway. A consistent minimum TLS version must be used across all decryption profiles referenced by all service objects that are used within a policy ruleset or policy ruleset group. If different minimum TLS versions are specified, the minimum TLS version that will be applied cannot be predetermined. |
Cipher Suites
The Multicloud Defense Gateway supports a set of default and user-selectable cipher suites. The default set are PFS cipher suites that are always selected. The user-selectable set are Diffie-Hellman and PKCS (RSA) cipher suites that can be selected by the user. The combined set of cipher suites (default and user-selected) are used by the gateway for establishing a secure front-end encrypted session. The client will send an ordered list of preferred cipher suites. The gateway will respond with a cipher suite chosen from the ordered set submitted by the client and the set available by the gateway. If the client allows the server to define the order, then the cpher suite chosen is from the ordered set available by the gateway and the set submitted by the client.
With version 24.10 and later, the Multicloud Defense Controller assists the creation of your decryption profile by auto-selecting the strongest cipher suites once you've chosen the minimum TLS version. Note that both the Multicloud Defense Controller and the Multicloud Defense Gateway must be running at least version 24.10. Older gateway versions do not support this automated help feature and you cannot edit the ciphers suites of an existing decrpytion profile. We strongly recommend updating your gateway to match at least version 24.10 to take advantage of this functionality.
The following is an ordered list of cipher suites supported by the gateway and available in a decryption profile:
Category |
Cipher Suite |
Key Exchange |
Cipher |
Hash |
Default |
---|---|---|---|---|---|
PFS |
ECDHE-RSA-AES256-GCM-SHA384 |
ECDHE-RSA |
AES256-GCM |
SHA384 |
✅ |
PFS |
ECDHE-RSA-AES256-CBC-SHA384 |
ECDHE-RSA |
AES256-CBC |
SHA384 |
✅ |
Diffie-Hellman |
DH-RSA-AES256-GCM-SHA384 |
DH-RSA |
AES256-GCM |
SHA384 |
|
PFS |
DHE-RSA-AES256-GCM-SHA384 |
DHE-RSA |
AES256-GCM |
SHA384 |
✅ |
PFS |
DHE-RSA-AES256-CBC-SHA256 |
DHE-RSA |
AES256-CBC |
SHA384 |
✅ |
PFS |
DHE-RSA-AES256-CBC-SHA |
DHE-RSA |
AES256-CBC |
SHA |
✅ |
Diffie-Hellman |
DH-RSA-AES256-SHA256 |
DH-RSA |
AES256-CBC |
SHA256 |
|
Diffie-Hellman |
DH-RSA-AES256-SHA |
DH-RSA |
AES256-CBC |
SHA160 |
|
PKCS (RSA) |
AES256-GCM-SHA384 |
PKCS-RSA |
AES256-GCM |
SHA384 |
|
PKCS (RSA) |
AES256-SHA256 |
PKCS-RSA |
AES256-CBC |
SHA256 |
|
PKCS (RSA) |
AES256-SHA |
PKCS-RSA |
AES256-CBC |
SHA160 |
|
PFS |
ECDHE-RSA-AES128-GCM-SHA256 |
ECDHE-RSA |
AES128-GCM |
SHA256 |
✅ |
PFS |
ECDHE-RSA-AES128-CBC-SHA256 |
ECDHE-RSA |
AES128-CBC |
SHA256 |
✅ |
Diffie-Hellman |
DH-RSA-AES128-GCM-SHA256 |
DH-RSA |
AES128-GCM |
SHA256 |
|
PFS |
DHE-RSA-AES128-GCM-SHA256 |
DHE-RSA |
AES128-GCM |
SHA256 |
✅ |
PFS |
DHE-RSA-AES128-CBC-SHA256 |
DHE-RSA |
AES128-CBC |
SHA256 |
✅ |
Diffie-Hellman |
DH-RSA-AES128-SHA256 |
DH-RSA |
AES128-CBC |
SHA256 |
|
Diffie-Hellman |
DH-RSA-AES128-SHA |
DH-RSA |
AES128-CBC |
SHA160 |
|
PKCS (RSA) |
AES128-GCM-SHA256 |
PKCS-RSA |
AES128-GCM |
SHA256 |
|
PKCS (RSA) |
AES128-SHA256 |
PKCS-RSA |
AES128-CBC |
SHA256 |
|
PKCS (RSA) |
AES128-SHA |
PKCS-RSA |
AES128-CBC |
SHA160 |
|
PFS |
ECDHE-RSA-DES-CBC3-SHA |
ECDHE-RSA |
DES-CBC3 |
SHA |
✅ |
PFS |
ECDHE-RSA-RC4-SHA |
ECDHE-RSA |
RC4 |
SHA |
✅ |
PKCS (RSA) |
RC4-SHA |
PKCS-RSA |
RC4 |
SHA160 |
|
PKCS (RSA) |
RC4-MD5 |
PKCS-RSA |
RC4 |
SHA160 |
Create a Decryption Profile
Use the following procedure to create a decryption profile.
Procedure
Step 1 |
Navigate to . |
Step 2 |
Click Create. |
Step 3 |
Specify a Profile Name and a Description. |
Step 4 |
For Certificate Method choose Select Existing. |
Step 5 |
For Certificate choose the desired certificate. |
Step 6 |
For Min TLS Version choose the lowest TLS version that is accepted by the decryption profile. The default is TLS 1.0. |
Step 7 |
If using non-default (non-PFS) cipher suites, select the set of desired cipher suites from the Diffie- Hellman or PKCS (RSA) menus. |
Step 8 |
Click Save. |
What to do next
Attach the profile to a policy rule set. See Rule Sets and Rule Set Groups for more information.