How to disable certain cipher suite when enabling WAF policy with SSL decryption?

Dasani1995 Lv1Posted 2023-Nov-28 19:33

Hi, I'm looking for any documentation or guide on how to disable certain cipher suite or TLS 1.0/1.1 when enabling access to a web server with WAF policy and SSL decryption in place?

I've enable WAF policies and set the decryption, however upon checking with SSL checker, the checker detected that TLS 1.0 and 1.1 is still supported. This include variety of obsolete cipher suites enabled e.g TLS_RSA_WITH_NULL_MD5 (0x1).

And this is not NGAF webGui TLS checkbox setting, but rather access to a webserver with WAF policy and decryption turn on properly (all certificates are properly configured)

Any help on this is highly appreciated. Thank you in advance.

Tammee Ong has solved this question and earned 10 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

Thank you for bringing this issue to our attention. To ensure that we can provide you with the most accurate assistance, we recommend reaching out directly to our technical support team. Kindly send an email to tech.support@sangfor.com, and they will help you through the necessary adjustments to the device backend.
Is this answer helpful?
Newbie405830 Lv1Posted 2024-Jan-11 16:54
  
I have the same issue with SSL Decryption that's enable TLS 1.0 and TLS 1.1, anyone help please.
I already create support case but not any response
NandangGozali Lv1Posted 2024-Jan-25 11:44
  
This is a some bug on the Sangfor NGAF and Sangfor Engineer make some change on Back End when remote session. I think Sangfor Development Team need to build some UI feature to disable TLS and weak ciphers on SSL Decryption.
Newbie522486 Lv1Posted 2024-Mar-18 17:33
  
In order to disable TLS and weak ciphers on SSL Decryption, I believe the Sangfor Development Team needs to create some user interface features at some point.
GLyO Lv1Posted 2024-Aug-20 15:18
  
Dear Colleagues, did you find the solution for this case?
What is the way to disable weak cipher?
If there is no any, a lot of customers will be out of NGAF's range beacuse of PCI DSS requirements...  
Newbie650977 Lv1Posted 2024-Aug-21 21:24
  
The purpose of AF's SSL decryption is to decrypt HTTPS traffic from external access to internal servers and internal access to internet HTTPS sites.

The principles of AF's SSL decryption are:
1. Decrypting traffic to internal servers: This requires NGAF to import the server's certificate (including the digital certificate and private key). When users access the server's services, NGAF can use the private key to decrypt the data accessing the server, analyzing IPS and WAF attacks targeting the server, and processing the data according to policy actions.

2. Decrypting site access data: NGAF acts as an SSL middleman, impersonating the server to perform an SSL handshake with the client while simultaneously acting as an SSL client to perform another SSL handshake with the target server. By establishing two SSL connections, it decrypts the data users access on the server and provides protection. This is mainly used for encrypted email security, HTTPS antivirus, HTTPS URL filtering, and HTTPS upload/download filtering.

The decryption module of AF has two functions: protecting the server and protecting the client.
1. Server Protection Scenario: Decryption is used to decrypt traffic to specified HTTPS servers, with the decrypted plaintext data sent to IPS, WAF, and other functions for detection.

2. Client Protection Scenario: This is primarily for internal network users accessing the internet through the device. It decrypts the traffic of encrypted emails and HTTPS data, sending the decrypted data to gateway antivirus, IPS policy matching, and URL filtering for detection.

Starting from the standard version AF6.3, the SSL decryption feature is supported. This feature requires AF to be integrated into the network (e.g., in routing mode, bridge mode, hybrid mode, etc.). It does not support decryption in bypass mirror mode for recording HTTPS site activity.

Note: Prior to the standard version AF8.0.75, AF decryption does not support TLS1.3. From the standard version AF8.0.75 onwards, AF decryption supports TLS1.3.

Applicable Scenarios: SSL decryption is used for internal network users accessing the internet through the device, decrypting encrypted emails and HTTPS data; and in scenarios where the internal network has encrypted servers, AF decrypts the traffic accessing the servers to protect them.

Usage Conditions:

- Prior to the standard version AF8.0.7, AF requires activation of the SSL decryption module to enable SSL decryption functionality.
- From version AF8.0.7 onwards, devices with 4GB or more memory have SSL decryption enabled by default without additional authorization; devices with less than 4GB memory do not support decryption.

Preparation Before Configuration:
1. The server's public and private keys (obtained from a third-party certificate authority).
2. For versions prior to AF8.0.7, ensure the SSL decryption module is authorized.
  - For standard version AF7.3: Check under [System] - [System Configuration] - [Serial Number] to see if the SSL decryption function is activated.
  - For standard version AF7.4: Check under [System] - [System Configuration] - [General Configuration] - [Serial Number] to see if the SSL decryption function is activated.

Note: AF's SSL decryption supports decrypting HTTPS traffic that passes through a proxy.

Configuration for Decrypting Site Access Data:
1. For standard version AF7.4 and above: In [Policy] - [Decryption], select [Decrypt Site Access Data] under the corresponding policy's [Service Type]. You can then check [Prompt User to Install Root Certificate When Browsing Webpage] and enter the corresponding domain name, enabling the firewall's root certificate to be downloaded and installed upon accessing the domain, or you can directly download and install the corresponding certificate from this interface.

2. For standard version AF7.3: In [Decryption] - [Decryption], select [Decrypt Site Access Data] under the corresponding policy's [Service Type]. You can then check [Prompt User to Install Root Certificate When Browsing Webpage] and enter the corresponding domain name, enabling the firewall's root certificate to be downloaded and installed upon accessing the domain, or you can directly download and install the corresponding certificate from this interface.

Configuration for Decrypting Internal Server Traffic:
1. For standard versions AF7.4 to AF8.0.85: Users need to provide the public and private key certificates for the HTTPS server. Import the corresponding server certificate in [Policy] - [Decryption] - [Server Certificate] (ensure the server certificate format is correct). Note: The HTTPS certificate must be exported from the website or provided by the user.

2. For standard version AF7.3: Users need to provide the public and private key certificates for the HTTPS server. Import the corresponding server certificate in [Decryption] - [Server Certificate] (ensure the server certificate format is correct).

I hope this information proves helpful to you. Best of luck!
GLyO Lv1Posted 2024-Aug-29 00:33
  
Hey, thank you for reply, but basic information and configuration I am already got.
The case is:
There is a internal Web server which I am protecting with NGAF . External users connect to it with SSL. NGAF acts in the middle and decrypt/encrypt traffic to check it.
The question is how can I configure NGAF to rejects SSL connection with certain, old, weak cipher , hash in SSL???? Where I can find this parameters to configure????!!

   
Tammee Ong Lv1Posted 2024-Aug-30 09:43
  
Thank you for bringing this issue to our attention. To ensure that we can provide you with the most accurate assistance, we recommend reaching out directly to our technical support team. Kindly send an email to tech.support@sangfor.com, and they will help you through the necessary adjustments to the device backend.

I Can Help:

Change

Moderator on This Board

11
8
5

Started Topics

Followers

Follow

1
3
5

Started Topics

Followers

Follow

0
4
5

Started Topics

Followers

Follow

67
20
3

Started Topics

Followers

Follow

3
14
3

Started Topics

Followers

Follow

1
138
3

Started Topics

Followers

Follow

Board Leaders