For WAF we are referring to either reverse proxy or bridge mode and both need to be addressed within the context of your question.
In bridge mode the traffic will pass through the GW with no impact due to expired keys
What may be impacted is inspection
If the key pair used in the expired cert is still valid then decryption will occur
If there have been changes to how the cert is generated which impact the key pair then decryption is not possible
You would see alerts in the MX UI indicating decryption failed due to the cert used
If you are in RP then the end customer will see a warning that the certificate used for this connection has expired.
Typically this is not a desirable situation and will typically generate customer calls/complaints
The rules around decrypt are the same as above. If the keys still work then we can decrypt.
------------------------------
Phil Klassen
------------------------------
Original Message:
Sent: 11-27-2019 04:18
From: kelvin chan
Subject: How can I tell if the Encryption Support is working properly (decrypts and inspects)?
I just came across that my server's Public and Private SSL keys uploaded previously to SecureSphere are all expired, and am going to upload the new ones. But how can I tell if the Encryption Support is working properly (decrypts and inspects) after uploading? This is of concern to me as the WAF keeps "working" with expired keys, then what is the difference with the new effective keys to be uploaded? Thanks.
#On-PremisesWAF(formerlySecuresphere)
------------------------------
analyst
------------------------------