Create a TLS Inspection Policy

To simplify the configuration of the first
TLS Inspection
policy, you can use the
TLS Inspection
wizard or manually create your policy using the UI. This topic does not describe the wizard configuration, only the manual configuration steps.
These prerequisites are valid for
TLS Inspection
in policies.
Activate the following settings. By default, they are deactivated.
  • Activating
    TLS Inspection
    settings per gateway.
    Navigate to
    Security
    TLS Inspection
    and select the
    Settings
    tab. Select a gateway or gateways from the list of TLS-enabled gateways and click
    Turn On
    .
  • Activating URL Database on the Edge cluster.
    Navigate to
    Security
    General Settings
    URL Database
    . Edge nodes must have Internet connectivity so the NSX Threat Intelligence Cloud Service (NTICS) can complete URL database downloads.
  • To view
    TLS Inspection
    statistics using the Security dashboard, deploy NSX Application Platform on your
    NSX
    3.2 or later environment and ensure it is in a good state. A specific license is required for time-series monitoring. For details, see the
    Deploying and Managing NSX Application Platform
    guide and Monitoring Security Statistics.
The wizard provides a walk-through of the
TLS Inspection
configuration workflow for your tier-1 gateway firewalls. The wizard displays on the
TLS Inspection
home page only for the first policy, but you can access the wizard in the All Shared Rules and Gateway Specific Rules tabs. You can skip the configuration wizard and complete the policy creation and the decryption action profile setup manually by clicking
Skip
on the opening page.
  1. With admin privileges, log in to
    NSX Manager
    .
  2. Select
    Security
    TLS Inspection
    .
  3. Select the category to define the policy, then click
    Add Policy
    .
  4. Enter a name for the new policy.
  5. (Optional) If you want to prevent multiple users from making changes to the section, click the
    Advanced Configuration
    icon, then click
    Locked
    and
    Apply
    .
  6. Select the policy you created, then click
    Add Rule
    .
    Variable
    Description
    Source, Destination, and L4 services
    Matches the same fields of the traffic coming in as the gateway firewall rule.
    Context profile
    Define and select context profile for classifying the traffic based on URL Category, Reputation, and Domain name. For details, see Context Profiles.
    Decryption action profile
    Define and select the decryption profile for the matched traffic. This could be external, internal, and bypass profiles. For details, see Creating TLS Decryption Action Profiles.
    Applied to
    Select one or more tier-1 gateways.
  7. Click
    Publish
    .
    You have completed your policy creation.