Technical Tip: Firewall policy-SSL/SSH inspection profile with SSLVPN web mode-only user group
Description
This article describes the behavior of SSL/SSH inspection profile in firewall policy with SSLVPN web mode only user group.
The SSL/SSH inspection profile can be configured in GUI and CLI, however the setting is hidden in '# show firewall policy' and backup configuration file.
Solution
By default, when 'SSLVPN-group' mapped to Portal 'web-access' only and configured in SSLVPN firewall policy, the ssl-ssh-profile option will be hidden from '# show firewall policy' and backup configuration file.
This article describes the behavior of SSL/SSH inspection profile in firewall policy with SSLVPN web mode only user group.
The SSL/SSH inspection profile can be configured in GUI and CLI, however the setting is hidden in '# show firewall policy' and backup configuration file.
Solution
By default, when 'SSLVPN-group' mapped to Portal 'web-access' only and configured in SSLVPN firewall policy, the ssl-ssh-profile option will be hidden from '# show firewall policy' and backup configuration file.
# config firewall policyEventually, this behavior will lead to another issue whereby the error below will be displayed in GUI after unit reboot or restore backup configuration file:
edit 1
set name "SSLVPN access"
set uuid e822f7d6-b9b7-51ea-3ec4-b5c96d6a9773
set srcintf "ssl.root"
set dstintf "port2"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable <----- 'ssl-ssh-profile' missing from show config.
set av-profile "default"
set ips-sensor "default"
set groups "SSLVPN-group"
next
end
This behavior will not affect the UTM profiles configured in the same firewall policy as ‘ssl-ssh-inspection' profile has no functionality for SSLVPN web-mode policy according to R&D.