Managing Zenarmor TLS Inspection on OPNsense

Published on: April 22, 2024

1 min read

Implementing Transport Layer Security (TLS) decryption and inspection may significantly enhance your security measures, yet it may not be a straightforward process of decrypting all data. Certain portions of the TLS traffic may be subject to legal protections pertaining to the confidentiality of communications. Decrypting and examining this communication might potentially be considered unlawful in some areas. Depending on the specific sector you work in, the geographical area you operate in, and the legal requirements you must adhere to, you may encounter some types of data traffic that should not be deciphered, such as sensitive medical or financial information.

Therefore, it may be unnecessary to examine the TLS traffic for certain websites and apps. To ensure the privacy of these sorts of connections, it is necessary to set up filters and regulations for TLS inspection configuration.

Zenarmor enables you to selectively designate websites and applications whose traffic will not be inspected on your firewall at a global level.

Figure 1. TLS Inspection Settings

You can easily manage the Zenarmor TLS Inspection feature by performing the following tasks explained in this guide:

Managing Certificate Authority to Enforce
Managing TLS Inspection Bypassed Sites
Managing TLS Inspection Bypassed Applications

Managing Certificate Authority to Enforce

You can view and manage the Certificate Authority enforced for TLS inspection on the page of TLS Inspection settings page by navigating to Zenarmor → Settings → TLS inspection on your OPNsense web UI.

To change the CA certificate used for inspecting the TLS traffic, click on the Manage button next to the certificate in the TLS Inspection pane. This will redirect you to the Certificate Authority page where you can generate or import a new certificate.

Figure 2. Viewing/Changing CA for TLS Inspection

Managing TLS Inspection Bypassed Sites

Zenarmor allows you to manage bypassed / certificate-pinned websites that need to be excluded from TLS inspection.

Figure 3. TLS Inspection Bypassed Sites

Zenarmor highly advises doing a full TLS inspection for all your internet traffic and implementing a bypass only in well-managed and comprehensible exceptional cases. You should exclude TLS traffic from inspection under certain conditions. Bypasses are often only relevant for specialized purposes listed below:

Healthcare destinations
Banking and financial destinations
Business operations that need the use of certificate-pinned websites or apps
Business operations that need the use of traffic that cannot be decrypted
Applications, such as certain components of Office 365, encounter problems during the inspection.

Excluding a Website from TLS Inspection

There are more than 80 predefined websites that are fetched from the Zenarmor signature database and excluded from the TLS inspection by default. These predefined websites are displayed with a DB storage icon in the TLS Inspection Bypassed Sites pane.

Users may also manually define a specific domain to exclude its TLS traffic from being inspected. These user-defined websites are displayed with a user icon in the TLS Inspection Bypassed Sites pane.

You may follow the next steps to exclude a website from TLS inspection:

Navigate to Zenarmor → Settings → TLS inspection on your OPNsense web UI.
Scroll down to the TLS Inspection Bypassed Sites pane.
Type the domain name of the website.
You may leave the Inspection Status option as default Do not Inspect.
Click Add button. This will automatically add the domain to your TLS inspection bypassed websites list. As of now, network packets belonging to the website(s) under this domain will not be inspected by Zenarmor.

tip

Domains match all subdomains. No need to use an asterisk, Zenarmor will match all subdomains and fully qualified domain names under this domain. If you would like anything under domain.com (sub.domain.com, host.sub.domain.com) to be bypassed or inspected, just put domain.com and Zenarmor matches all.

Best Practice

The best practices for excluding a website from TLS inspection are given below:

Do not include major domains that allow any user to create their own file storage subdomain in the list of TLS inspection bypassed sites. The following domains ought not to be granted exemptions for TLS inspections:
- .cloudfront.net
- (.s3).amazonaws.com
- (.blob.core).windows.net Not inspecting these domains implies that no inspection takes place for any AWS S3 or Azure Blob storage account, and they should not be exempted without careful thought.
Instead of using base domain names when adding domains, try using the most specific ones (for example, add corp.example.com and eng.example.com instead of example.com).

Removing a Website from TLS Inspection Bypassed Sites

To remove a domain from the TLS inspection bypassed websites list and start to inspect the traffic belonging to the website(s) under this domain, you may follow the next steps:

Navigate to Zenarmor → Settings → TLS inspection on your OPNsense web UI.
Scroll down to the TLS Inspection Bypassed Sites pane.
Click Remove button next to the domain in the list. A dialog box will be displayed for confirmation of the domain removal.
Click Remove to confirm the deletion of the domain.

Changing Status of TLS Inspection Bypassed Sites

In some cases, you may need to inspect the websites that are excluded from the TLS inspection in the Zenarmor signature database. To change the inspection status of the TLS inspection bypassed websites, you may follow the next steps:

Navigate to Zenarmor → Settings → TLS inspection on your OPNsense web UI.
Scroll down to the TLS Inspection Bypassed Sites pane.
Click Status toggle bar next to the domain in the list. This will automatically enable or disable inspection for the TLS traffic belonging the websites under the domain.

Figure 4. Changing Status of TLS Inspection Bypassed Sites

Managing TLS Inspection Bypassed Applications

Some applications, especially most mobile apps, use their pinned certificates, which means that they only trust certain server certificates and reject any other certificate as unauthorized. Certificate-pinning security measure effectively mitigates Man-in-the-Middle (MiTM) attacks, but it also hinders the ability of trustworthy MiTM entities to operate.

This approach is prevalent in iOS and Android apps, hence posing challenges in managing these environments. It is impossible to inspect the encrypted traffic of these apps and you must bypass TLS inspection for sites used by these applications.

Due to certificate difficulties that result in a loss of access, the industry is phasing out the use of certificate pinning. Application vendors, including public certificate authorities (CAs), are transitioning to shorter durations for their intermediate certificate authorities (CAs). Developers that continue to use certificate pinning are increasing the expenses associated with certificate upkeep and jeopardizing users' ability to access their service.

Zenarmor allows you to manage bypassed / certificate-pinned applications that need to be excluded from TLS inspection.

If you come into certificate pinning, either substitute the program or find an alternative route to avoid the traffic. Only bypass the traffic if the application has significant value to the company and the potential hazards of not checking the application traffic are deemed acceptable.

Excluding an Application from TLS Inspection

You may follow the next steps to select an application that is excluded from TLS inspection:

Navigate to Zenarmor → Settings → TLS inspection on your OPNsense web UI.
Scroll down to the TLS Inspection Bypassed Applications pane.
Click on the Select an application... drop-down menu.
Find the application that will not be inspected by Zenarmor either using the Search bar or scrolling down.
You may leave the Inspection Status option as default Do not Inspect.
Click Add button. This will automatically add the application to your certificate-pinned applications list. As of now, network packets belonging to this application will not be inspected by Zenarmor.

Figure 5. TLS Inspection Bypassed Applications

Removing an Application from TLS Inspection Bypassed Applications

To remove an application from the TLS inspection bypassed applications list and start to inspect the traffic belonging to this application, you may follow the next steps:

Navigate to Zenarmor → Settings → TLS inspection on your OPNsense web UI.
Scroll down to the TLS Inspection Bypassed Applications pane.
Click Remove button next to the application in the list. A dialog box will be displayed for confirmation of the application removal.
Click Remove to confirm the deletion of the application.

Changing Status of TLS Inspection Bypassed Application

After adding an application to the TLS inspection bypassed application list, in some cases, you may temporarily need to inspect the application. To change the inspection status of the TLS inspection bypassed application, you may follow the next steps:

Navigate to Zenarmor → Settings → TLS inspection on your OPNsense web UI.
Scroll down to the TLS Inspection Bypassed Applications pane.
Click Status toggle bar next to the application in the list. This will automatically enable or disable inspection for the application traffic.

Figure 6. Changing Status of TLS Inspection Bypassed Applications

Managing Certificate Authority to Enforce​

Managing TLS Inspection Bypassed Sites​

Excluding a Website from TLS Inspection​

Removing a Website from TLS Inspection Bypassed Sites​

Changing Status of TLS Inspection Bypassed Sites​

Managing TLS Inspection Bypassed Applications​

Excluding an Application from TLS Inspection​

Removing an Application from TLS Inspection Bypassed Applications​

Changing Status of TLS Inspection Bypassed Application​