Table of contents
Topics on this page

TLS inspection overview

The Network Security service offers in-line, real-time threat protection for all inbound TLS-encrypted IPv4 traffic that reaches your internal servers from beyond the network firewall. Your virtual appliance receives the encrypted flow, decrypts it, inspects it, encrypts it, and then sends it on to its destination.

If there is encrypted traffic that you want to protect for particular segments, enable TLS inspection as a global setting for a single managed virtual appliance. This way you can secure internet communications by providing privacy and data integrity between website servers and web browsers. Key exchange algorithms secure the connections for each session.

Users can integrate Network Security’s TLS capability with their existing infrastructure’s certificate management offerings, including Azure Key Vault, Amazon Certificate Manager (ACM) and Amazon Simple Storage Service (S3). For successful chain validation:

  • Azure certificates, which also contain the private key, can be in either PFX or PEM (PKCS8 only) format.
  • S3 certificates must include the web server's certificate chain in PEM (PKCS8 or PKCS1) format. The certificate chain starts with the web server certificate followed by one or more intermediate CA certificates, and ends with the root CA certificate.
  • ACM certificates must include the PEM-encoded web server's certificate in the certificate body field, and include the certificate chain (which includes a concatenated string of each PEM-encoded intermediate CA certificate and the root CA certificate) in the certificate chain field.
  • Both AWS ACM and Azure Key Vault require users to import the web server's certificate chain and private key. With Azure Key Vault, the virtual appliance can retrieve both certificates and private keys. But because private keys cannot be exported from AWS ACM, you must import those private keys manually to the virtual appliance, or use CloudHSM to get them. This is also true for private keys corresponding to AWS S3 certificates.
  • TLS inspection on Network Security now supports SNI on AWS, with up to 30 certificates per server. This can be enabled using the API. Appliance version number of 2023.4.0.12159 or higher is required. Learn more.

Note: For optimal security, remember to encrypt all your sensitive data and store them securely.


Based on your cloud platform provider, the Network Security service automatically provides the appropriate wizard to step you through the TLS configuration process.

For AWS platforms:

For Azure platforms: