Create a TLS Inspection Policy
To simplify the configuration of the first
TLS Inspection
policy, you can use the TLS Inspection
wizard or manually create your policy using the UI. This topic
does not describe the wizard configuration, only the manual configuration steps.These prerequisites are valid for
TLS Inspection
in policies.Activate the following settings. By
default, they are deactivated.
- ActivatingTLS Inspectionsettings per gateway.Navigate to and select theSettingstab. Select a gateway or gateways from the list of TLS-enabled gateways and clickTurn On.
- Activating URL Database on the Edge cluster.Navigate to . Edge nodes must have Internet connectivity so the NSX Threat Intelligence Cloud Service (NTICS) can complete URL database downloads.
- To viewTLS Inspectionstatistics using the Security dashboard, deploy NSX Application Platform on yourNSX3.2 or later environment and ensure it is in a good state. A specific license is required for time-series monitoring. For details, see theDeploying and Managing NSX Application Platformguide and Monitoring Security Statistics.
The wizard provides a walk-through of the
TLS Inspection
configuration workflow for your tier-1 gateway
firewalls. The wizard displays on the TLS Inspection
home page only for the first policy, but you can access
the wizard in the All Shared Rules and Gateway Specific Rules tabs. You can skip the
configuration wizard and complete the policy creation and the decryption action
profile setup manually by clicking Skip
on the opening page. - With admin privileges, log in toNSX Manager.
- Select .
- Select the category to define the policy, then clickAdd Policy.
- Enter a name for the new policy.
- (Optional) If you want to prevent multiple users from making changes to the section, click theAdvanced Configurationicon, then clickLockedandApply.
- Select the policy you created, then clickAdd Rule.VariableDescriptionSource, Destination, and L4 servicesMatches the same fields of the traffic coming in as the gateway firewall rule.Context profileDefine and select context profile for classifying the traffic based on URL Category, Reputation, and Domain name. For details, see Context Profiles.Decryption action profileDefine and select the decryption profile for the matched traffic. This could be external, internal, and bypass profiles. For details, see Creating TLS Decryption Action Profiles.Applied toSelect one or more tier-1 gateways.
- ClickPublish.You have completed your policy creation.