How to implement SSL keyrings, SSL service intercept, and CPL rules using CLI mode on the ProxySG appliance

book

Article ID: 168913

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

The customer would like to know how to implement below through CLI mode.
  • SSL keyrings
  • SSL service intercept
  • SSL Intercept CPL rules

Cause

The customer environment/management doesn't allow GUI mode for ProxySG appliance management; only SSH CLI mode is allowed.

Resolution

How to Write Policy Using CLI

There is no command line method to input to a VPM policy. You can use CPL to create policy in a text format; it is more difficult to maintain than writing VPM policy using the ProxySG Management Console. Use CLI commands to create policy when the VPM is not allowed.

inline policy local end-631531068-inline SG300 Series#(config)
conf t SG300 Series#

<< copy and paste in the entry below>>

<SSL-Intercept> 
ssl.forward_proxy(https) ssl.forward_proxy.issuer_keyring(SSLKeyrings) 
end-631531068-inline 

SSH into ProxySG appliance, and change to Enable mode 


Create a CSR

SG300 Series#conf t 
SG300 Series#(config)ssl 
SG300 Series#(config ssl)create keyring show testcerts 2048 
SG300 Series#(config ssl)create signing-request "testcerts" cn "ProxySG" challenge "ProxySG" c "CC" state "State" city "City" o "Group" ou "proxyname_IP" email "[email protected]" company "Company Name" 
SG300 Series#(config ssl)exit 
 

Create a Self-signed Certificate

SG300 Series#conf t 
SG300 Series#(config)ssl 
SG300 Series#(config)create keyring show testcerts 2048 
SG300 Series#(config)create certificate "testcerts" cn "ProxySG" challenge "ProxySG" c "CC" state "State" city "City" o "Group" ou "proxyname_IP" email "[email protected]" company "Company Name" 
SG300 Series#(config ssl)exit 
 
Legend
CC = Country Code 
 

Intercept Proxy Services

<<<<<<<<< view available Proxy servicesview    SG300 Series#(config proxy-services)
proxy-services SG300 Series#(config)
conf t SG300 Series#
 

Transparent ProxySG

SG300 Series#(config proxy-services)edit "HTTPS" 
SG300 Series#(config HTTPS)view    <<<<<<<<< to view current configuration 
SG300 Series#(config HTTPS)?    <<<<<<<<< to view available command 
SG300 Series#(config HTTPS)intercept all all 443    <<<<<<<<< to intercept source=any destination=any and port 443 
SG300 Series#(config HTTPS)exit 

 

Explicit ProxySG

SG300 Series#(config proxy-services)edit "explicit http" 
SG300 Series#(config HTTPS)view    <<<<<<<<< to view current configuration 
SG300 Series#(config HTTPS)?    <<<<<<<<< to view available command 
SG300 Series#(config Explicit HTTP)intercept all explicit 8080 
SG300 Series#(config Explicit HTTP)intercept all explicit 80 
SG300 Series#(config Explicit HTTP)attribute detect-protocol enable 
SG300 Series#(config HTTPS)exit