Skip to main content
McAfee Enterprise MVISION Cloud

Sending Tapped SSL Traffic to a Monitoring Device

You can send tapped SSL traffic in decrypted format through an interface on a Secure Web Gateway appliance to a monitoring device.

NOTE: The information provided here regarding SSL also applies when the newer version of this protocol known as TLS (Transport Layer Security) is used.

SSL-secured traffic can be tapped on Secure Web Gateway, which means that its content is looked into. Tapping is a "silent" inspection method, as the traffic is only looked into and not interfered with otherwise.

You can configure more than one interface to send copies of the decrypted traffic to different monitoring devices.

Tapping can be applied on Secure Web Gateway to SSL-secured traffic under HTTPS, including any subversion of this protocol. HTTP2 is, however, not supported. When tapping is configured Secure Web Gateway, HTTP2 traffic is not processed.

The Enable SSL Tap event is provided, which must be included in a suitable rule to enable the tapping. The rule must be applied when the CONNECT call is handled within the process of performing SSL-secured communication.

Sample rule for enabling SSL tapping

The following conditions must be met when using a rule with an event for enabling SSL tapping:

  • The rule must be placed in a rule set that has Command.Name equals "CONNECT" as one of its criteria. This is the case in the embedded Handle CONNECT Call rule set of the default SSL Scanner rule set.
  • The rule set must be configured for the request cycle.
  • Content inspection must be activated. This is the case if you enable the embedded Content Inspection rule set of the default SSL Scanner rule set.

A suitable property for the rule criteria is, for example, Client.IP or URL.Host. A rule that enables SSL tapping for all traffic sent in requests for access to hosts that are on a particular list might look as follows.

Name    
Enable SSL tapping for requests sent to listed hosts    
Criteria Action Event
URL.Host is in list SSL Tapping Host List –> Continue – Enable SSL Tap

 

Configure sending tapped SSL traffic to a monitoring device

Configure the sending of tapped SSL traffic to a monitoring device by configuring an interface to this device on Secure Web Gateway and creating a rule that enables the tapping.

  1. Configure at least one interface to a monitoring device.
    1. Select Configuration | Appliances.
    2. On the appliances tree, select the appliance that you want to configure an interface on, then click SSL Tap.
    3. Configure the SSL Tap settings.
  2. Create a rule that uses the Enable SSL Tap event.
  3. Click Save Changes.

SSL traffic can now be tapped and sent in decrypted format to the monitoring devices that you configured interfaces for. The tapped traffic is sent if the rule that you created applies.

  • Was this article helpful?