# Managing your TLS inspection configuration in Network Firewall
This section describes how to create, update, and delete a TLS inspection configuration in Network Firewall. To turn on TLS inspection for your firewall, create a TLS inspection configuration, add the TLS inspection configuration to a firewall policy, then associate the firewall policy with your firewall.
You can only add a TLS inspection configuration to a new policy, not to an existing policy. However, you can replace an existing TLS inspection configuration with another TLS inspection configuration in a firewall policy. To add a TLS inspection configuration to a firewall policy or update an existing TLS inspection configuration, see [Managing your firewall policy](firewall-policy-managing.md).
**Note**
A TLS inspection configuration is only available for use by the account that you use to create it. It can't be shared across accounts.
**Topics**
+ [Creating a TLS inspection configuration in Network Firewall](creating-tls-configuration.md)
+ [Updating a TLS inspection configuration in Network Firewall](updating-tls-configuration.md)
+ [Deleting a TLS inspection configuration in Network Firewall](deleting-tls-configuration.md)
# Creating a TLS inspection configuration in Network Firewall
This procedure explains how to create a TLS inspection configuration using Network Firewall. To follow this procedure, you must have at least one certificate in AWS Certificate Manager (ACM) that's accessible by your AWS account.
**To create a TLS inspection configuration using the console**
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **TLS inspection configurations**.
1. Choose **Create TLS inspection configuration**.
1. In the **Associate SSL/TLS certificates** page, configure **Server certificates for inbound SSL/TLS inspection**, **CA certificate for outbound SSL/TLS inspection**, or both.
1. Choose **Next** to go to the TLS inspection configuration's **Describe TLS inspection configuration** page.
1. Enter a **Name** to identify this TLS inspection configuration.
**Warning**
You can't change the name after you create the TLS inspection configuration.
1. (Optional) Enter a **Description** for the TLS inspection configuration.
1. Choose **Next** to go to the TLS inspection configuration's **Define scope** page.
1. In the **Scope configuration** pane, choose the protocol, source, source port range, destination, and destination port range of the traffic that you want Network Firewall to decrypt. Network Firewall uses the associated certificates to decrypt the SSL/TLS traffic that matches the scope configuration. After Network Firewall decrypts the traffic, the service inspects the traffic according to your firewall policy's stateful rules.
Network Firewall also automatically configures a reverse scope, ensuring that the service inspects the traffic in both directions.
1. For **Protocol**, choose the protocol to decrypt. Network Firewall currently supports TCP.
1. For **Source IP**, choose the source IP addresses and ranges to decrypt. You can decrypt by **Custom** IP addresses or by **Any IPv4 address**.
1. For **Source port**, choose the source ports and source port ranges to decrypt. You can decrypt by **Custom** port ranges or by **Any port**.
1. For **Destination IP**, choose the destination IP addresses and ranges to decrypt. You can decrypt by **Custom** IP addresses or by **Any IPv4 address**.
1. For **Destination port**, choose the destination ports and destination port ranges to decrypt. You can decrypt by **Custom** port ranges or by **Any port**.
1. Choose **Add scope configuration**. To add more scope configurations, adjust the settings in the **scope configuration** pane, then select **Add scope configuration**.
1. Choose **Next**.
1. (Optional) On the **Advanced settings** page, under **Customer managed key**, you can change the key that Network Firewall uses to decrypt and encrypt the TLS inspection configuration, to protect against unauthorized access. By default, Network Firewall uses AWS owned keys. If you want to use your own keys, you can configure customer managed keys from the AWS Key Management Service and provide them to Network Firewall. For information about customer managed keys, see [Encryption at rest with AWS Key Management Service](kms-encryption-at-rest.md).
1. (Optional) In the **Certificate revocation status** section, choose whether Network Firewall should check if the certificate that's presented by the server in the TLS connection has a revoked status. To enable this option, you must first associate a certificate authority (CA) certificate for outbound inspection in the **Associate SSL/TLS certificates** step. You can also configure the actions that Network Firewall takes on outbound traffic if the certificate is revoked or has an unknown status.
1. Choose **Next**.
1. (Optional) On the **Add tags** page, enter a key and optional value for any tag that you want to add to this TLS inspection configuration. Tags help you to organize and manage your AWS resources. For more information about tagging your resources, see [Tagging AWS Network Firewall resources](tagging.md).
1. Choose **Next**.
1. On the **Review and confirm** page, check the TLS inspection configuration settings. If you want to change anything, choose **Edit** for that section. This returns you to the corresponding step in the create TLS inspection configuration wizard. Make your changes, then choose **Next** on each page until you come back to the review and confirm page.
1. Choose **Create TLS inspection configuration**.
Your new TLS inspection configuration is added to the list in the Network Firewall TLS inspection configurations page.
If you've configured the inspection for certificate revocation checks on outbound traffic, you can log failures for these checks by enabling TLS logging. For information, see [Logging network traffic](firewall-logging.md).
To use your TLS inspection configuration in a firewall policy, follow the procedures at [Managing your firewall policy](firewall-policy-managing.md).
# Updating a TLS inspection configuration in Network Firewall
To change your TLS inspection configuration settings, use the following procedure:
**To update a TLS inspection configuration**
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **TLS inspection configurations**.
1. In the **TLS inspection configuration** page, select the name of the TLS inspection configuration that you want to update.
1. On the TLS inspection configuration page, make your changes. You can't update the name of a TLS inspection configuration after creation, but you can change other details. If you want to update the name, you must create a new TLS inspection configuration.
1. Choose **Save** to save your changes.
**How Network Firewall propagates your changes**
When you make any changes to a firewall, including changes to any of the firewall's components, like rule groups, TLS inspection configurations, and firewall policies, Network Firewall propagates the changes everywhere that the firewall is used. Your changes are normally applied within minutes, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. For example, if you modify a rule group so that it drops an additional type of packet, for a firewall that uses the rule group, the new packet type might briefly be dropped by one firewall endpoint while still being allowed by another.
This temporary inconsistency can occur when you first create a firewall and when you make changes to an existing firewall. Generally, any inconsistencies of this type last only a few seconds.
# Deleting a TLS inspection configuration in Network Firewall
To delete a TLS inspection configuration, perform the following procedure.
**Deleting a TLS inspection configuration**
When you delete a TLS inspection configuration, AWS Network Firewall checks to see if it's currently being referenced in a firewall policy. If it is, Network Firewall sends you a warning, and doesn't delete the TLS inspection configuration. Network Firewall is almost always able to determine whether a resource is being referenced, however, in rare cases it might not be able to do so. To be sure that the resource that you want to delete isn't in use, check all of your firewall policies before deleting it. TLS inspection configurations referenced in firewall policies can't be deleted.
**To delete a TLS inspection configuration**
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **TLS inspection configurations**.
1. In the **TLS inspection configuration** page, select the TLS inspection configuration that you want to delete.
1. Choose **Delete**, and confirm your request.
Your TLS inspection configuration is removed from the list in the **TLS inspection configuration** page.