SSL Tap Settings
The SSL Tap settings are used for configuring interfaces on Web Gateway that connect to monitoring devices for sending them tapped SSL traffic in decrypted format.
SSL Tap
Settings for SSL tapping interfaces
Table A-52 SSL Tap
| Option | Definition |
|---|---|
| Enable interfaces for SSL Tap | When selected, tapped SSL traffic can be sent in decrypted format to monitoring devices through interfaces configured here. |
| List of interfaces | Provides a list of interfaces for connecting to a monitoring device. |
Table A-53 List of interfaces – List entry
| Option | Definition |
|---|---|
| Network interface | Specifies the interface on Web Gateway that is used for connecting to a monitoring device. |
| Client IP for IPv4 traffic | Provides the IP address of the client that is used when the tapped SSL traffic is sent under IPv4. Providing this address is optional. The default address is that of the client currently in use. |
| Client IP for IPv6 traffic | Provides the IP address of the client that is used when the tapped SSL traffic is sent under IPv6. Providing this address is optional. The default address is that of the client currently in use. |
| Client MAC | Provides the MAC address of the client that is used when the tapped SSL traffic is sent. Providing this address is optional. The default address is the MAC address of the Web Gateway appliance. |
| Destination MAC address | Provides the MAC address of the destination that the tapped SSL data packets are sent to. |
| Comment | Provides a plain-text comment on an interface. |
Advanced settings
Advanced settings for connections used for sending SSL tapped traffic
Table A-54 Advanced settings
| Option | Definition |
|---|---|
| Maximum SSL Tap queue size per connection |
Limits the size of a queue of SSL tapped traffic on each of the connections that are involved to the specified value (in MB). Default limit: 10240 MB |
NOTE: SSL Tap is officially supported on Appliances, VM, and AWS instances.
Configure SSL TAP Support for HTTP/2
SSL TAP supports HTTP/1.1 and HTTP/2 traffic tapping by default on SWG versions 11.2 and later. When you enable only the SSL Tap event, the Web Gateway preserves HTTP/2 traffic without requiring a Proxy Control event.
If you need to explicitly control protocol behavior or downgrade traffic to HTTP/1.1, configure the Proxy Control event.
IMPORTANT: To ensure custom protocol settings take effect, place the rule that contains the Proxy Control event before the rule that contains the SSL Tap event.
Configure HTTP Protocol Behavior
Use the Proxy Control event to change the default HTTP behavior, such as downgrading traffic to HTTP/1.1.
- Create or edit a rule and add the Proxy Control event.
- In the event settings, scroll to the HTTP2 section.
- Select Override HTTP2 support.
- Configure protocol behavior:
- To keep HTTP/2: Set Support HTTP2 to Yes and Support tapping for HTTP2 to Yes.
- To downgrade to HTTP/1.1: Set Support HTTP2 to No.
- Click Save Changes.