The 2200T Threat Protection System (TPS) device offers the ability to perform SSL inspection by purchasing the relevant license. If the device is not licensed for SSL inspection, the SMS displays a notification. Once you install a license file that allows for SSL inspection, you must reboot the device for the change to take effect. When configuring the TPS device for SSL inspection, you have the ability to store the private keys either locally on the TPS or remotely on the SMS.
Persist Private Keys: Enabled / Disabled
Disabled: This option is recommended if you wish to keep keys in only one location. In this case the keys will only be persisted (stored) on the SMS. The TPS device will request the keys from the SMS when needed. If the SMS is not available, or the private key password has not been entered then any SSL traffic will continue to pass through the box un-inspected until the device retrieves the private keys.
Enabled: Private keys are stored on the device. This option does not require the SMS to be available or the private key password to be entered on the SMS in order for the SSL feature to be enabled.
Things to think about;
- If the “Persist Private Keys” option is disabled (keys are stored in the SMS) and the TPS device re-boots, the device will lose the keys and will have to request them from the SMS.
- If the “Persist Private Keys” option is enabled (keys are stored in the device) and the option is disabled, the keys will persist in memory until the device is re-booted. After the reboot, the device will not have the keys so it will reach back to the SMS to send them down. Until the device gets those keys it will not be able to decrypt SSL traffic.