TLS inspection-Cloud Firewall(Cloud Firewall)-阿里云帮助中心

Advanced attacks hidden in encrypted traffic, such as HTTPS, are difficult to detect because the traffic cannot be decrypted. The TLS inspection feature of Cloud Firewall protects outbound encrypted traffic by replacing the original TLS certificate with a private root CA. This process decrypts the traffic, allowing the IPS engine to inspect it for threats, and then re-encrypts the traffic to ensure secure communication.

Note

The TLS inspection feature is in public preview and may change before general availability. For questions or feedback, contact your account manager.

Why you need TLS inspection

Encryption protocols like HTTPS convert request payloads into ciphertext, creating a security blind spot for the Cloud Firewall IPS engine. TLS inspection allows you to configure policies that replace the original TLS certificate with a private one between the client and the firewall. This decrypts the traffic, enabling the IPS engine to perform deep analysis on the plaintext to detect advanced attacks and data exfiltration.

Risks and blind spots in encrypted traffic

Risk 1: Advanced attacks and data exfiltration evade IPS detection
Attackers often use HTTPS tunnels to deliver malicious payloads, exfiltrate stolen data, or establish C2 communications. Because the traffic is encrypted, the IPS engine cannot parse the content to identify attack signatures or sensitive data leaks. TLS inspection provides plaintext traffic, allowing the IPS engine to detect and block threats within encrypted channels.

Risk 2: Web filtering cannot enforce path-level controls on HTTPS traffic
Web filtering relies on matching hostnames and paths in HTTP requests, such as example.com/upload/*. With encrypted HTTPS traffic, the firewall can only obtain the domain name from the Server Name Indication (SNI) field and cannot extract the URL path. This renders fine-grained policies, such as "allow browsing, deny uploads," ineffective. TLS inspection allows web filtering rules to fully match paths in HTTPS traffic for granular control.

Risk 3: Application identification accuracy is reduced for encrypted traffic, limiting control granularity
application control uses deep packet inspection (DPI) to identify applications from payload data. With encrypted traffic, DPI can only rely on handshake information like SNI and certificates, making it difficult to distinguish between different actions on the same domain, such as "browsing GitHub" versus "uploading a file to GitHub". TLS inspection provides complete traffic characteristics, allowing application control to accurately identify specific behaviors for fine-grained control.

Limitations

Billing method limitation: This feature is not available for Cloud Firewall instances that use the legacy pay-as-you-go 1.0 billing method.
Region limitation: This feature is available only in the following regions: China (Beijing), China (Shanghai), China (Hangzhou), and China (Zhangjiakou).
TLS protocol version limitation:
- Only TLS 1.0, 1.1, and 1.2 are supported.
- TLS 1.3 traffic without Encrypted Client Hello (ECH) is forwarded but is not decrypted or protected.
- TLS inspection is not supported for older SSL versions or TLS 1.3 with ECH enabled. This will cause traffic interruptions.
Protocol type limitation: Non-TCP requests, such as QUIC traffic that uses UDP, are forwarded but not inspected.
Network diagnostics impact: After you enable TLS inspection, TCP MTR (My Traceroute) cannot trace the path to the origin server.
Authentication mode limitation: This feature does not support mutual TLS (mTLS). It supports only standard TLS, where the client validates the server certificate.
SNI requirement: The TLS Server Name Indication (SNI) must match the domain name in the configured certificate for TLS inspection to take effect.

Procedure

Log on to the Cloud Firewall console. In the left navigation bar, select Prevention Configuration > TLS Inspection to go to the TLS Inspection page.

Step 1: Configure TLS inspection policy

On the TLS Inspection page, click Create TLS Inspection Policy. The Create TLS Inspection Policy panel appears on the right.

Associate Certificate.

Parameter	Description
Policy Name	Enter a descriptive name for the TLS inspection policy.
Associate TLS Certificate	Select an existing certificate. Note When you create your first policy, the certificate drop-down list includes the Apply for a Trial Certificate option. Click this option to automatically generate a test certificate and quickly test the TLS inspection feature. A trial certificate can be used only once. In a production environment, purchase and use your own certificate. Currently, only a PCA certificate is supported and must meet the following requirements: The certificate purpose must be set to "Internal enterprise use". Certificates that use the SM algorithm are not supported. If you use the RSA private key algorithm, the key length must be 2,048 bits or more. If you use the ECC private key algorithm, select P-256. If no certificates are available, click Buy Certificate to go to the Certificate Management Service console. When you purchase the certificate, make sure that the purpose of the PCA certificate is set to "Internal enterprise use". For more information about PCA certificates, see What is a PCA certificate?.
Certificate Validity	After you select a certificate, its validity period is displayed. A mandatory reminder is displayed when the validity period is less than one year. We recommend that you regularly check your certificates to ensure they have at least one year of validity remaining.
Description	Enter a description for the policy.

After you configure the parameters, click Next to go to the Configure Inspection Range step. Note that the policy is created and saved after this step is complete.

Configure Inspection Range.

Important

The total quota for all inspection scopes is 20,000.
The quota consumed by a TLS inspection policy is the sum of the quotas consumed by all inspection scopes in the policy.
The quota consumed by a single inspection scope is calculated by using the following formula: Number of source IP addresses × Number of source port ranges × Number of destination IP addresses × Number of destination port ranges.

Parameter	Description
Protocol Type	Currently, only the `TCP` protocol is supported.
Source IP Address	Select the IP addresses of the hosts whose outbound traffic you want to inspect. You can select up to 1,000 IP addresses. Note Supported asset types: `ECS EIP`, `ECS public IP`, `NAT EIP`, `EIP`, and `ENI EIP`.
Source Port	Specify the inspection ports for the selected assets in `start port/end port` format. The port number ranges from `0` to `65535`. Separate multiple port ranges with commas (,). You can add up to 100 port ranges. Note All ports are expressed in ranges, even for a single port. For example, `8080/8080` indicates that only port 8080 is inspected. To inspect all ports, enter `0/65535`.
Destination IP Address	The IP addresses of destination services that the source assets access. Note Enter IPv4 addresses or CIDR blocks in standard mask format, for example, `192.0.2.0/24,8.8.8.8/32`. You can enter up to 100 IP address objects. Separate multiple objects with commas (,). To specify all addresses, enter `0.0.0.0/0`.
Destination Port	The ports of destination services that the source assets access. The format is `start port/end port`. The port number ranges from `0` to `65535`. Separate multiple port ranges with commas (,). You can add up to 100 port ranges.
Description	Enter a description for the inspection scope.
Other operations	Save: Click the Save button below the Inspection Scope section to save the inspection scope without clicking Next. After the scope is saved, Saved is displayed in the upper-right corner of the section. Add: Click Add an inspection range to add another inspection scope. A policy supports up to 10 inspection scopes. Delete: Click the icon in the upper-right corner of the Inspection Scope section to delete the current inspection scope. After you confirm the deletion, the scope is immediately deleted. You do not need to click Next. Use this option with caution.

After you configure all parameters, click Next to complete the policy configuration.

Review the policy information.

After you configure the policy, its details and inspection scopes are displayed. The Policy ID is displayed in the logs.

Step 2: Install the TLS certificate

After you create a TLS inspection policy, install the associated certificate on the hosts in the inspection scope.

Important

If an inspected asset is a NAT EIP, you must install the certificate on all ECS instances that access the internet through that internet NAT gateway. Otherwise, traffic may be disrupted.

Download the certificate.

In the Configure TLS Inspection Policy list, find the policy that you created and click Download Certificate in the Actions column. Download the certificate to your local computer and decompress the file to obtain the certificate file (with a .crt extension).
Log on to the selected source host.

Log on to the host that you specified as the Source IP Address in the Inspection Scope. Then, upload the certificate to any directory on the host. For more information about how to upload a file to an ECS instance, see Methods for transferring files to an ECS instance.

Install the certificate.

Switch to the directory where you uploaded the certificate, copy the certificate to the trust directory of the operating system, and then run the update command. The steps vary based on the operating system:

Note

If a sub-CA certificate is associated with the TLS policy, you must install both the root CA and sub-CA certificates.
These examples apply only if the trust directory is the system's default. If your service uses a different trust directory, you must install the certificate to the actual trust store.

CentOS/Alibaba Cloud Linux/Anolis/Red Hat

Copy the certificate file: cp <certificate-file-name> /etc/pki/ca-trust/source/anchors/
Update the certificates: sudo update-ca-trust
View the updated certificate: cat /etc/ssl/certs/ca-bundle.crt

If the certificate content is displayed, the certificate is installed.
```
-----BEGIN CERTIFICATE-----
MIIEkjCCAxqgKqAwIBAgIQYAGXt0an6rS0mtZLL...
...
-----END CERTIFICATE-----
```

Ubuntu

Copy the certificate file: cp <certificate-file-name> /usr/local/share/ca-certificates/
Update the certificates: sudo update-ca-certificates
View the updated certificate: cat /etc/ssl/certs/ca-certificates.crt

If the certificate content is displayed, the certificate is installed.
```
-----BEGIN CERTIFICATE-----
MIIEkjCCAxqgKqAwIBAgIQYAGXt0an6rS0mtZLL...
...
-----END CERTIFICATE-----
```

Windows

Important

If you use a subordinate CA (intermediate CA), the native Certificate Manager in Windows does not install all CAs in a certificate chain file at once. It installs only the first CA in the file. In this scenario, you must manually split each CA content block (from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----) into a separate file and then install each file.
To split the certificate, open the downloaded and unzipped certificate file in a text editor, cut the content block from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----, paste it into a new file, and rename the file to end with .crt.
```
-----BEGIN CERTIFICATE-----
MIIFzTCCA7WgAwIBAgISO2ZhVZgHz5lusW...
xxx
...
RQ==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIFzTCCA7WgAwIBAgISO2ZhVZgHz5lusW...
xxx
...
RQ==
-----END CERTIFICATE-----
```
After splitting, you will have two separate certificate files, such as ca1.crt and ca2.crt.

Install the certificate: Right-click the certificate file, click Install Certificate, and then follow these steps:

1	2	3
In the Certificate Import Wizard, select Local Machine for Store Location, and then click Next.	Select Place all certificates in the following store, and then click Browse....	In the Select Certificate Store dialog box, select Trusted Root Certification Authorities, and then click OK.

Click Next to complete the certificate import.

View the imported certificate: Run certmgr.msc in Command Prompt to open the Certificate Manager.

In the Trusted Root Certification Authorities directory, check the Certificates list to verify that the Aliyun-root certificate is listed. This confirms that the certificate was imported successfully.

SUSE

Copy the certificate file: cp <certificate-file-name> /etc/pki/trust/anchors
Update the certificates: sudo c_rehash .

View the updated certificate: sudo trust list --filter=ca-anchors |grep -C 2 <certificate-CN>

If the certificate information is displayed, the certificate is installed successfully.

pkcs11:id=xxx ;type=cert
    type: certificate
    label: Aliyun-sub RSA_2048
    trust: anchor
    category: authority

pkcs11:id=xxx ;type=cert
    type: certificate
    label: Aliyun-root RSA_2048
    trust: anchor
    category: authority

Fedora and Fedora CoreOS

Copy the certificate file: sudo cp <certificate-file-name> /etc/pki/ca-trust/source/anchors/
Update the certificates: sudo update-ca-trust extract
View the updated certificate: sudo trust list --filter=ca-anchors |grep -C 2 <certificate-CN>

If the certificate information is displayed, the certificate is installed successfully.
```
pkcs11:id=xxx ;type=cert
    type: certificate
    label: Aliyun-root
    trust: anchor
    category: authority
```

ACK

When outbound traffic originates from a Pod in an Alibaba Cloud ACK cluster, you must install the PCA certificate inside the Pod because the container environment is isolated from the host. If a node also initiates HTTPS requests, such as pulling public images, you must also install the certificate on the node.

Note

The following steps apply to the Alibaba Cloud Linux 3.2104 LTS 64-bit container-optimized operating system and are for reference only. You must adjust the commands based on your operating system and business requirements.
Some of the following commands restart resources. To avoid business interruptions, we recommend that you perform these operations during off-peak hours.

Install certificate on nodes

Log on to each node and run the following commands.

Copy the certificate file: cp <certificate-file-name> /etc/pki/ca-trust/source/anchors/
Update the certificates: sudo update-ca-trust
View the updated certificate:cat /etc/ssl/certs/ca-bundle.crt

If the certificate content is displayed, the certificate is installed.
Restart the container service for the changes to take effect: sudo systemctl restart containerd.

Install certificate in pods

Create a Secret on the console of the target cluster. The following shows an example configuration. The key value is the content of the certificate file. For more information about how to create a Secret, see Manage Secrets. Select Opaque for Type. Alternatively, you can run the following kubectl command to create a Secret. Replace ca_chain.crt in the command with the actual certificate filename.
```
kubectl create secret generic cfw-pca-cert \
  --from-file=ca_chain.crt=./ca_chain.crt \
  -n default
```

The following example shows how to add the content to the YAML file of a Deployment:

Go to the spec.template.spec.containers field and add the following content to mount the certificate and update the trust store. secretName is the name of the Secret that you created in the preceding step: cfw-pca-cert.
```
volumes:
        - name: custom-ca-volume
          secret:
            secretName: cfw-pca-cert   
volumeMounts:
        - name: custom-ca-volume
          mountPath: /etc/ssl/custom
          readOnly: true  
```

Continue to add the startup command under the spec.template.spec.containers field.

Note

The following example is based on the CentOS container system and is for reference only. You must adjust the commands based on your operating system and business requirements.

command:
          - "/bin/sh"
          - "-c"
          - |
            # 1. Install curl.
            echo "Installing curl......"
            yum install -y curl

            # 2. Verify that the certificate is mounted. Replace ca_chain.crt with the actual certificate filename.
            if [ ! -f /etc/ssl/custom/ca_chain.crt ]; then
              echo "ERROR: Certificate file not found!"
              exit 1
            fi

            # 3. Inject the certificate based on the steps for CentOS.
            echo "Copying certificate to anchors directory..."
            cp /etc/ssl/custom/ca_chain.crt /etc/pki/ca-trust/source/anchors/

            echo "Updating CA trust store..."
            update-ca-trust        

            # 4. Keep the Pod running.
            echo "Pod ready for manual testing. Use 'kubectl exec' to test further."
            sleep infinity

Browser trust store

Some browsers such as Firefox do not use the CA trust store of the system. Instead, they maintain their own certificate trust databases. Even if you update the system certificate by running the update-ca-certificates command, the browser may still report that the certificate is untrusted. In this case, you can follow these steps to import the certificate into the browser's trust database.

Note

The operations to import a certificate into these browsers are the same on Linux and Windows.

1	2
Open the Firefox browser, go to the Settings > Privacy & Security page, and then click View Certificates... in the Certificates section.	In the Certificate Manager dialog box, click the Authorities tab, and then click Import... to import the certificate file.

Step 3: Enable inspection and query logs

After the certificate is installed on the asset's host, you can enable the policy for inspection.

Important
After you enable TLS inspection, protection for new connections takes effect in about one minute. Existing persistent connections are not affected and are not protected.

When you disable TLS inspection for a protected EIP, existing persistent connections are interrupted. The duration of the interruption depends on the reconnection duration of your service.

On the TLS Inspection page, you can view the list of created policies. Click the status switch to enable a TLS inspection policy. After the policy is enabled, Cloud Firewall can inspect the encrypted content of outbound traffic based on your configurations.

Note
You can delete a policy only when it is disabled.
Query traffic logs.

After traffic is generated on the inspected host, choose Detection & Response > Log Audit in the left-side navigation pane of the Cloud Firewall console.

On the Traffic Logs > Internet Firewall tab, you can query the traffic generated by the host. The logs contain information about the matched TLS inspection policy and scopes.

The logs display the IDs of the policy and inspection scopes.