Chapter 33 SSL Inspection
ZyWALL ATP Series User’s Guide
573
33.3 Exclude List Screen
There may be privacy and legality issues regarding inspecting a user's encrypted session. The legal issues
may vary by locale, so it's important to check with your legal department to make sure that it’s OK to
intercept SSL traffic from your Zyxel Device users.
To ensure individual privacy and meet legal requirements, you can configure an exclusion list to exclude
matching sessions to destination servers. This traffic is not intercepted and is passed through
uninspected.
Click
Configuration > Security Service > SSL Inspection > Exclude List
to display the following screen. Use
Add
to put a new item in the list or
Edit
to change an existing one or
Remove
to delete an existing entry.
Action for
Connection with
unsupported suit
SSL Inspection supports these cipher suites:
• DES
• 3DES
• AES
Select to
pass
or
block
unsupported traffic (such as other cipher suites, compressed traffic,
client authentication requests, and so on) that matches traffic bound to this policy here.
Log
These are the log options for unsupported traffic that matches traffic bound to this policy:
•
no
: Select this option to have the Zyxel Device create no log for unsupported traffic that
matches traffic bound to this policy.
•
log
: Select this option to have the Zyxel Device create a log for unsupported traffic that
matches traffic bound to this policy
•
log alert
: An alert is an emailed log for more serious events that may need more immediate
attention. They also appear in red in the
Monitor > Log
screen. Select this option to have the
Zyxel Device send an alert for unsupported traffic that matches traffic bound to this policy.
Action for
connection with
untrusted cert
chain
A certificate chain is a certification process that involves the following certificates between the
SSL/TLS server and a client. A certificate chain will fail if one of the following certificates is not
correct.
• A certificate owned by a user
• The certificate signed by a certification authority
• A root certificate
Select to
pass
,
inspect
, or
block
an untrusted certification chain.
Log
These are the log options for unsupported traffic that matches traffic bound to this policy:
•
no
: Select this option to have the Zyxel Device create no log for unsupported traffic that
matches traffic bound to this policy.
•
log
: Select this option to have the Zyxel Device create a log for unsupported traffic that
matches traffic bound to this policy
•
log alert
: An alert is an emailed log for more serious events that may need more immediate
attention. They also appear in red in the
Monitor > Log
screen. Select this option to have the
Zyxel Device send an alert for unsupported traffic that matches traffic bound to this policy.
OK
Click
OK
to save your settings to the Zyxel Device, and return to the profile summary page.
Cancel
Click
Cancel
to return to the profile summary page without saving any changes.
Table 229 Configuration > Security Service > SSL Inspection > Profile > Add / Edit (continued)
LABEL
DESCRIPTION