Zones
|
Entering or leaving a device via an interface in a specific security zone
|
A security zone is a logical grouping of one or more interfaces
according to your deployment and security policies. Interfaces in a zone may be
located across multiple devices.
Note
|
You cannot decrypt traffic on an inline or tap mode interface.
|
|
Networks
|
By its source or destination IP address, country, or continent
|
You can explicitly specify IP addresses. The geolocation feature
also allows you to control traffic based on its source or destination country
or continent.
|
VLAN Tags
|
Tagged by VLAN
|
The system uses the innermost VLAN tag to identify a packet by
VLAN.
|
Ports
|
By its source or destination port
|
You can control encrypted traffic based on the TCP port.
|
Users
|
By the user involved in the session
|
You can control encrypted traffic based on the LDAP user logged
into a host involved in an encrypted, monitored session. You can control
traffic based on individual users or groups retrieved from a Microsoft Active
Directory server.
|
Applications
|
By the application detected in a session
|
You can control access to individual applications in encrypted
sessions, or filter access according to basic characteristics: type, risk,
business relevance, and categories.
|
Categories
|
By the URL requested in the session, based on the certificate subject distinguished name
|
You can limit the websites that users on your network can access
based on the URL’s general classification and risk level.
|
Distinguished Names
|
The URL the user enters in the browser matches the Common Name (CN), or the URL is contained in the certificate's Subject Alternative Name (SAN)
|
You can control encrypted traffic based on the CA that issued a
server certificate, or the server certificate holder.
|
Certificates
|
By the server certificate used to negotiate the encrypted session
|
You can control encrypted traffic based on the server
certificate passed to the user’s browser in order to negotiate the encrypted
session.
|
Certificate Status
|
By properties of the server certificate used to negotiate the encrypted session
|
You can control encrypted traffic based on a server
certificate’s status.
|
Cipher Suites
|
By the cipher suite used to negotiate the encrypted session
|
Use cipher suite rule conditions only to block traffic. Never use cipher suite rule conditions to decrypt traffic because these rule conditions can interfere with the system's ClientHello
processing, resulting in unpredictable performance.
|
Versions
|
By the version of SSL or TLS used to encrypt the session
|
Use version rule conditions only to block traffic. Never use version rule conditions to decrypt traffic because these rule conditions can interfere with the system's ClientHello
processing, resulting in unpredictable performance..
|