Integrate the Edge SWG (ProxySG) with devices requiring Encrypted Tap
Article ID: 166424
Updated On:
Products
Advanced Secure Gateway Software - ASG
ProxySG Software - SGOS
Issue/Introduction
Integrating FireEye malware scanner with Edge SWG (ProxySG) appliance (using Encrypted Tap).
Integrating Ixia Network Security Appliance with Edge SWG (ProxySG)appliance (using Encrypted Tap).
Environment
Resolution
Requirements
- SSL proxy configuration Configure the Edge SWG (ProxySG) for SSL Interception.
- Licensing: Run "#show licenses" from CLI and confirm you have valid "Encrypted Tap" license available.
Configuration Steps
Proxy Configuration:
- Connect the proxy port directly to the tapping device.
- Enable SSL Interception.
- Forward the tapped traffic to the interface id (second layer in policy shown below).
Policy Configuration:
- Browse to Configuration > Policy > Policy Files.
- Select Install Local File from:
- Select Text Editor.
- Click Install.
- Select the Append CPL Code (below).
- Click Install.
- Click Close.
<ssl-intercept>
ssl.forward_proxy(yes)
<ssl>
client.connection.encrypted_tap(0:0)
<ssl>
server.certificate.validate(no)
Verification:
- Connect a PC directly to a free port on the ProxySG appliance, and start capturing the traffic forwarded from the proxy.
- Initiate an encrypted traffic toward the ProxySG appliance using a different machine by going to any HTTPS site (https://<Your URL>.com, in this example).
- If all works fine, a decrypted version of the traffic can be observed on the capture:
Feedback
Yes
No
Powered by
