Managing your TLS inspection configuration in Network Firewall - Amazon Network Firewall
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing your TLS inspection configuration in Network Firewall

This section describes how to create, update, and delete a TLS inspection configuration in Network Firewall. To turn on TLS inspection for your firewall, create a TLS inspection configuration, add the TLS inspection configuration to a firewall policy, then associate the firewall policy with your firewall.

You can only add a TLS inspection configuration to a new policy, not to an existing policy. However, you can replace an existing TLS inspection configuration with another TLS inspection configuration in a firewall policy. To add a TLS inspection configuration to a firewall policy or update an existing TLS inspection configuration, see Managing your firewall policy.

Note

A TLS inspection configuration is only available for use by the account that you use to create it. It can't be shared across accounts.

Creating a TLS inspection configuration in Network Firewall

This procedure explains how to create a TLS inspection configuration using Network Firewall. To follow this procedure, you must have at least one certificate in Amazon Certificate Manager (ACM) that's accessible by your Amazon account.

To create a TLS inspection configuration using the console
  1. Sign in to the Amazon Web Services Management Console and open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. In the navigation pane, under Network Firewall, choose TLS inspection configurations.

  3. Choose Create TLS inspection configuration.

  4. In the Associate SSL/TLS certificates page, configure Server certificates for inbound SSL/TLS inspection, CA certificate for outbound SSL/TLS inspection, or both.

  5. Choose Next to go to the TLS inspection configuration's Describe TLS inspection configuration page.

  6. Enter a Name to identify this TLS inspection configuration.

    Warning

    You can't change the name after you create the TLS inspection configuration.

  7. (Optional) Enter a Description for the TLS inspection configuration.

  8. Choose Next to go to the TLS inspection configuration's Define scope page.

  9. In the Scope configuration pane, choose the protocol, source, source port range, destination, and destination port range of the traffic that you want Network Firewall to decrypt. Network Firewall uses the associated certificates to decrypt the SSL/TLS traffic that matches the scope configuration. After Network Firewall decrypts the traffic, the service inspects the traffic according to your firewall policy's stateful rules.

    Network Firewall also automatically configures a reverse scope, ensuring that the service inspects the traffic in both directions.

    1. For Protocol, choose the protocol to decrypt. Network Firewall currently supports TCP.

    2. For Source IP, choose the source IP addresses and ranges to decrypt. You can decrypt by Custom IP addresses or by Any IPv4 address.

    3. For Source port, choose the source ports and source port ranges to decrypt. You can decrypt by Custom port ranges or by Any port.

    4. For Destination IP, choose the destination IP addresses and ranges to decrypt. You can decrypt by Custom IP addresses or by Any IPv4 address.

    5. For Destination port, choose the destination ports and destination port ranges to decrypt. You can decrypt by Custom port ranges or by Any port.

    6. Choose Add scope configuration. To add more scope configurations, adjust the settings in the scope configuration pane, then select Add scope configuration.

  10. Choose Next.

  11. (Optional) On the Advanced settings page, under Customer managed key, you can change the key that Network Firewall uses to decrypt and encrypt the TLS inspection configuration, to protect against unauthorized access. By default, Network Firewall uses Amazon owned keys. If you want to use your own keys, you can configure customer managed keys from the Amazon Key Management Service and provide them to Network Firewall. For information about customer managed keys, see Encryption at rest with Amazon Key Management Service.

  12. (Optional) In the Certificate revocation status section, choose whether Network Firewall should check if the certificate that's presented by the server in the TLS connection has a revoked status. To enable this option, you must first associate a certificate authority (CA) certificate for outbound inspection in the Associate SSL/TLS certificates step. You can also configure the actions that Network Firewall takes on outbound traffic if the certificate is revoked or has an unknown status.

  13. Choose Next.

  14. (Optional) On the Add tags page, enter a key and optional value for any tag that you want to add to this TLS inspection configuration. Tags help you to organize and manage your Amazon resources. For more information about tagging your resources, see Tagging Amazon Network Firewall resources.

  15. Choose Next.

  16. On the Review and confirm page, check the TLS inspection configuration settings. If you want to change anything, choose Edit for that section. This returns you to the corresponding step in the create TLS inspection configuration wizard. Make your changes, then choose Next on each page until you come back to the review and confirm page.

  17. Choose Create TLS inspection configuration.

Your new TLS inspection configuration is added to the list in the Network Firewall TLS inspection configurations page.

If you've configured the inspection for certificate revocation checks on outbound traffic, you can log failures for these checks by enabling TLS logging. For information, see Logging network traffic.

To use your TLS inspection configuration in a firewall policy, follow the procedures at Managing your firewall policy.

Updating a TLS inspection configuration in Network Firewall

To change your TLS inspection configuration settings, use the following procedure:

To update a TLS inspection configuration
  1. Sign in to the Amazon Web Services Management Console and open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. In the navigation pane, under Network Firewall, choose TLS inspection configurations.

  3. In the TLS inspection configuration page, select the name of the TLS inspection configuration that you want to update.

  4. On the TLS inspection configuration page, make your changes. You can't update the name of a TLS inspection configuration after creation, but you can change other details. If you want to update the name, you must create a new TLS inspection configuration.

  5. Choose Save to save your changes.

How Network Firewall propagates your changes

When you make any changes to a firewall, including changes to any of the firewall's components, like rule groups, TLS inspection configurations, and firewall policies, Network Firewall propagates the changes everywhere that the firewall is used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. For example, if you modify a rule group so that it drops an additional type of packet, for a firewall that uses the rule group, the new packet type might briefly be dropped by one firewall endpoint while still being allowed by another.

This temporary inconsistency can occur when you first create a firewall and when you make changes to an existing firewall. Generally, any inconsistencies of this type last only a few seconds.

Deleting a TLS inspection configuration in Network Firewall

To delete a TLS inspection configuration, perform the following procedure.

Deleting a TLS inspection configuration

When you delete a TLS inspection configuration, Amazon Network Firewall checks to see if it's currently being referenced in a firewall policy. If Network Firewall determines that the TLS inspection configuration is referenced in a policy, the service sends you a warning, and won't delete the TLS inspection configuration. Network Firewall is almost always able to determine whether a resource is being referenced. However, in rare cases, it might not be able to do so. To be sure that the resource that you want to delete isn't in use, check all of your firewall policies before deleting it. TLS inspection configurations referenced in firewall policies can't be deleted.

To delete a TLS inspection configuration
  1. Sign in to the Amazon Web Services Management Console and open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. In the navigation pane, under Network Firewall, choose TLS inspection configurations.

  3. In the TLS inspection configuration page, select the TLS inspection configuration that you want to delete.

  4. Choose Delete, and confirm your request.

Your TLS inspection configuration is removed from the list in the TLS inspection configuration page.