Configure SSL Inbound Inspection for all untrusted traffic destined for servers using SSL or TLS. Rationale: Without SSL Inbound Inspection, the firewall is not able to protect SSL or TLS-enabled webservers against many threats. Impact: Not decrypting inbound traffic to TLS encrypted services means that inspection for many common attacks cannot occur on the firewall. This means that all defenses against these attacks are up to the host. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Navigate to Policies > Decryption. Set SSL Inbound Inspection appropriately for all untrusted traffic destined for servers using SSL or TLS. Navigate to Policies > Decryption. For each service published to the internet (or other untrusted zones), create a Policy and set the following options: General tab: Name set to a descriptive name Source: Source Zone set to the target zone (Internet in many cases). Source Address set to the target address space (Any for internet traffic) Destination tab: Destination Zone should be set to the appropriate zone, or Any. Destination Address set to the target host address Options tab: Type set to SSL Inbound Inspection Default Value: Not Configured