SSL Insight (SSLi®)
in Thunder CFW
TLS/SSL Decryption for Real-time Visibility into Encrypted Traffic
Key Benefits of SSL Insight
A comprehensive TLS decryption solution enabling security devices to analyze encrypted enterprise traffic and augment Zero Trust strategies
Eliminate the Blind Spot
- Enable your security devices to detect and stop hidden threats
- Maximize the effectiveness of your existing security solution irrespective of deployment type by offloading decryption/encryption duties
- Gain full control over cipher selection to ensure continued security
Increase ROI
- Secure your investments by eliminating the blind spot that affects your existing security strategy
- Boost your security infrastructure’s performance by off-loading decryption
- Avoid unnecessary upgrades and refreshes of your existing devices
Key Features
Full Network Traffic Visibility
Decrypt and encrypt regular HTTPS traffic on any TCP port using dynamic port inspection. Decryption for additional protocols like STARTTLS, XMPP, SMTP, POP3, as well as SSH are supported.
Full-proxy Control
Control TLS ciphers used between the client and SSLi solution, and between the SSLi solution and server. Renegotiate to ciphers of similar strength for modern ciphers or TLS versions. Support modern ciphers including ECC/PFS and TLS version 1.2/1.3.
Context-aware Traffic Management
Block user access to suspicious/unwanted sites with URL filtering and selectively bypass decryption using URL classification. Enable granular control on the application protocol level with application recognition engine.
Flexible Deployment
Can be deployed in virtual-wire, L2 or L3 mode, and as inline transparent proxy or explicit proxy. Support inline L2/L3 third-party security devices and built-in ICAP for direct connection to DLP systems.
Enforce Privacy Policies
Ensure privacy and compliance standards by selectively decrypting traffic for HIPAA, PCI-DSS, GDPR, etc., using geolocation and a list of over 1 billion domains, and stopping SSL encrypted data exfiltration.
Intelligent Service Chaining
Selectively steer traffic based on application type, service ports and/or user ID with fine-grained polices to different service and security chains.
Real-time Actionable Insights
Gain real-time, actionable insights into TLS traffic characteristics, encrypted versus unencrypted traffic levels, application types and URL categories, suspicious activities, along with extensive transaction logs and more.
Centralized Management
Manage multi-site deployments from a central location with the A10 Control and simplify configuration with guided deployment wizard.
Security Solution Integration Examples
Built to seamlessly integrate with any solution in your existing Zero Trust infrastructure
Next-generation Firewalls
Cisco FirePOWER, Palo Alto Networks NGFW, Check Point NGFW, SonicWALL NGFW
Intrusion Prevention Systems
Trellix IPS, Secureworks iSensor
Advanced Threat Protection
Trellix Network Security, OPSWAT MetaDefender, Fidelis Network
Other Integrations
Digital Guardian DLP, Symantec Edge SWG, Forcepoint Trusted Gateway System, IBM Security QRadar, RSA NetWitness, Trend Micro Deep Security, Vectra NDR, Garland Technology NPB, Niagara Networks Bypass Switch
Frequently Asked Questions
Don’t see your question listed? Contact a product expert to get answers.
Thunder SSLi is a high-performance TLS/SSL decryption solution. It is available as Thunder CFW with CFW-ADC license or Thunder SSLi appliance.
The solution intercepts and decrypts encrypted traffic, ensuring your entire security infrastructure (such as NG-FW, IPS or DLP) has complete visibility into all enterprise traffic to eliminate the SSL blind spot.
The SSLi device is typically placed in-line (or in front of) of your existing security devices, often at the network edge or in the DMZ. This setup creates a “secure decrypt zone.” Traffic is decrypted once by SSLi, sent to multiple security devices for inspection, and then immediately re-encrypted by SSLi before being forwarded to the destination. This centralized, single-point decryption architecture maximizes efficiency.
No, it enhances them. SSLi dramatically augments the efficacy and ROI of your current security infrastructure. By offloading the resource-intensive task of TLS decryption and re-encryption to the dedicated SSLi appliance, your existing security devices are freed to dedicate 100% of their resources to what they do best: deep security inspection and threat protection.
TLS/SSL decryption is an extremely CPU and resource-intensive task. When every security device attempts to decrypt traffic, it consumes valuable processing power, often sacrificing security inspection performance. This forces companies to purchase additional security devices just to maintain capacity as encrypted traffic grows. By centralizing decryption on SSLi, you maximize the lifespan and performance of your existing security infrastructure, deferring expensive hardware upgrades.
SSLi supports all major TLS/SSL versions (TLS 1.1, 1.2, and 1.3) for HTTPS traffic. It also supports other encrypted protocols like SSH, STARTTLS, SMTP, POP3, SCP, SFTP, and XMPP.
Meanwhile, you can use granular policy controls to selectively bypass decryption for traffic containing sensitive or privacy-related information, or for known, trusted services (like specific SaaS apps or OS updates).
Absolutely. A10 Control simplifies the entire lifecycle of your SSLi deployment, including configuration, and troubleshooting. It also provides detailed, centralized analytics and actionable insights into the encrypted traffic flowing across your enterprise network
Related Product
A10 Control
A10 Control is the next generation of centralized management and control platform for A10 solutions, consolidating existing A10 Harmony Controller and aGalaxy capabilities and more.
Additional Resources
