Sending tapped SSL traffic to a monitoring device

You can send tapped SSL traffic in decrypted format through an interface on a Web Gateway appliance to a monitoring device.

Note: The information provided here regarding SSL also applies when the newer version of this protocol known as TLS (Transport Layer Security) is used.

SSL-secured traffic can be tapped on Web Gateway, which means that its content is looked into. Tapping is a "silent" inspection method, as the traffic is only looked into and not interfered with otherwise.

You can configure more than one interface to send copies of the decrypted traffic to different monitoring devices.

Tapping can be applied on Web Gateway to SSL-secured traffic under HTTPS, including any subversion of this protocol. HTTP2 is, however, not supported. When tapping is configured on Web Gateway, HTTP2 traffic is not processed.

The Enable SSL Tap event is provided, which must be included in a suitable rule to enable the tapping. The rule must be applied when the CONNECT call is handled within the process of performing SSL-secured communication.

Sample rule for enabling SSL tapping

The following conditions must be met when using a rule with an event for enabling SSL tapping:

  • The rule must be placed in a rule set that has Command.Name equals "CONNECT" as one of its criteria. This is the case in the embedded Handle CONNECT Call rule set of the default SSL Scanner rule set.

  • The rule set must be configured for the request cycle.

  • Content inspection must be activated. This is the case if you enable the embedded Content Inspection rule set of the default SSL Scanner rule set.

A suitable property for the rule criteria is, for example, Client.IP or URL.Host. A rule that enables SSL tapping for all traffic sent in requests for access to hosts that are on a particular list might look as follows.

Enable SSL tapping for requests sent to listed hosts
Criteria Action Event
URL.Host is in list SSL Tapping Host List –> Continue Enable SSL Tap