View Only


This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.

  • 1.  SRX HTTPS re-encryption

    Posted 05-10-2022 11:27
    Hello ,

    Is the attached design possible with the SRX, such that user HTTPS traffic can be inspected by the SRX and can also be decrypted for the Fireeye to inspect, and then another instance of SRX to re-encrypt the traffic

    Mohammad Rummaneh

  • 2.  RE: SRX HTTPS re-encryption

    Posted 05-11-2022 09:46

    Hi Mohammad,

     Please allow me to share my thoughts – I think the solution may be the following:

    • generating on each SRX its' certificate, signed by the same CA
    • then using (importing) as the Root CA certificate on each SRX SSL Proxy Profile
    • last step – apply the SSL Proxy Profile to a security policy (on each SRX)

    So, in my humble opinion your setup should be a valid one, IF (!) the functionality is already built on SRX-es; what I mean: you need to use the SSL Proxy feature as Client-Protection SSL Proxy, which means that the Certificate is presented to HTTPS clients by the first SRX following a match on specific traffic within security policy, decrypted and flows to FireEye device – this is clear. The only spot I am not sure about is the reverse process – on the second SRX, if that second one knows what to do with the traffic you intercept with the security policy and apply the SSL Proxy profile to it … (if it knows that it should encrypt that clear-text traffic and throw it to the destination).

    Therefore, I recommend you test the setup in JCL – use the BYO feature with two SRX-es – should not take long.

     Good luck !