Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

SSL Tap Overview

  1. Last updated
  2. Save as PDF

Skyhigh Security Web Gateway lets you forward decrypted HTTPS traffic to a TAP interface on the Web Gateway appliance. External systems such as DLP, IPS, and Advanced Threat Protection solutions can then inspect the traffic for monitoring and analysis.

You can configure more than one interface to send copies of the decrypted traffic to different monitoring devices. 

NOTE: Follow the SSLTap Optimization Guidelines to maintain optimal network performance. 



2026-01-19_13-44-05.png

Web Gateway Configuration
Network Interface Configuration

In this example, the Web Gateway runs as an explicit proxy and listens on port 9090 on the internal network using interface eth0. You configure eth1 as a dedicated private TAP interface to receive decrypted HTTPS traffic.

To preserve the original client IP address in copied packets, you configure SSL TAP to retain the source IP. This allows NDLP Monitor to identify the traffic originator, and you do not need to assign an IP address to the TAP interface.

Configure the TAP Network Interface

  1. In the Web Gateway UI, go to Configuration > Appliances > Network Interfaces.
  2. Select eth1.
  3. Select the checkbox to enable the interface.
  4. Under IPv4 Settings, select Disable IPv4.
  5. If IPv6 is enabled on the appliance, repeat this step under the IPv6 tab.
SSL TAP Interface Configuration

The SSL TAP interface configuration defines where the Web Gateway copies decrypted packets. You can configure multiple interfaces if needed.

For each interface, configure the following settings:

  • Client IP for IPv4 Traffic. Specifies the IPv4 address used as the client IP when sending copied packets. If you do not specify a value, the Web Gateway uses the original client IP address from the HTTPS request.
  • Client IP for IPv6 Traffic. Specifies the IPv6 address used as the client IP when sending copied packets. If you do not specify a value, the Web Gateway uses the original client IP address.
  • Client MAC. Specifies the MAC address used when sending copied packets. If you do not specify a value, the Web Gateway uses the MAC address of the SSL TAP interface.

In this example, SSL TAP preserves the original client IP address so NDLP Monitor can accurately identify the traffic originator.

Configure the TAP Network Interface

In the Web Gateway UI, navigate to Configuration > Appliances > SSL Tap, enable the SSL Tap functionality and add the eth1 interface, leaving the Client IP and MAC address fields blank:

2026-01-19_13-44-22.png

In a Web Gateway cluster, this should be repeated on each Web Gateway appliance.

Enable the SSL TAP Event

After you configure the SSL TAP interface, enable packet copying by adding the Enable SSL Tap event to a rule.

Using this event in a rule lets you control exactly which requests and responses the Web Gateway copies to the SSL TAP interface. For example, you can scope traffic based on URL destination, URL category, or specific user groups.

In this example, SSL TAP applies to all SSL traffic.

Enable SSL TAP in a Rule

  1. In the Web Gateway UI, go to Policy > Rule Sets > SSL Scanner.
  2. Open the Content Inspection ruleset.
  3. Add the Enable SSL Tap event to the Enable Content Inspection rule.
  4. Save the changes.

 2026-01-19_13-44-37.png

NOTE: SSL content inspection is required to use SSL TAP functionality.

SSLTap Optimization Guidelines

SSLTap is a resource-intensive feature. To maintain optimal network performance, it is crucial to limit its application by carefully defining and adjusting the associated rules. We recommend applying it only to a specific subset of Web Gateway traffic that has already undergone initial filtering and been cleared of any immediate block rules.

Best Practices for Optimization

  • Target Specific Traffic. Apply SSLTap only to traffic streams that genuinely require detailed, in-depth inspection. Avoid using it as a generic rule for all network traffic.
  • Bypass Trusted Destinations. Exclude known, trusted traffic (e.g., Office 365) from SSLTap inspection. This exclusion significantly reduces network latency, memory usage, and overall overhead.
  • Optimize Rule Placement. Position SSLTap rules after core security functions like threat detection (GAM/GTI) and all other blocking rules. Traffic that is blocked early in the process never leaves the network and therefore does not require resource-heavy analysis such as NDLP.
  • Directional Activation for DLP. If the primary security objective is preventing data exfiltration (DLP), configure SSLTap to inspect traffic exclusively during the Request cycle.
  • Exclude Internal Traffic. Do not apply SSLTap to trusted intranet traffic that remains strictly within the corporate perimeter.
  • Review Knowledge Base: Review the knowledge base to ensure all optimization steps and advanced configurations are fully implemented. For assistance, contact Skyhigh Support.

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.