Follow Post-Deployment SSL Decryption Best Practices

SSL Decryption post-deployment best practices ensure that decryption is functioning as expected and help you maintain the deployment.
After you deploy decryption, ensure that everything is working as expected and take steps to ensure that it keeps working as expected.
  1. Verify that decryption works as expected.
  2. Measure firewall performance to ensure that it’s within acceptable norms and so that you understand the effect of decryption on performance.
    If you want to decrypt more traffic than firewall resources support, scale up so that you have enough resources to decrypt all of the traffic you want to decrypt and secure your network.
  3. Educate new employees as you hire them so that they understand your decryption policy and won’t be surprised if they can’t reach a particular site because it uses weak cipher suites.
  4. Periodically review and update Decryption policies and profiles.
  5. Use decryption troubleshooting tools such as the Application Command Center’s
    SSL Activity
    widgets and the Decryption log (
    Monitor
    Logs
    Decryption
    ) to monitor decryption traffic and solve decryption issues.
    Decryption troubleshooting workflow examples show you how to use the tools to investigate issues.
  6. Use Palo Alto Networks documentation and other resources to learn more about Decryption and to look up information:
    • The PAN-OS Administrator’s Guide provides detailed information about Palo Alto Networks next-generation firewalls.
    • Palo Alto Networks Live community has a Decryption Resource List of articles about decryption configuration, setup, and administration.
    • To find missing intermediate certificates, visit SSL Labs (Qualys).
    • To find out which cipher suites a server supports, visit Qualys SSL Labs server SSL test page.
    • To check up-to-date statistics on the percentages of different ciphers and protocols in use on the 150,000 most popular sites in the world so you can see trends and understand how widespread worldwide support is for more secure ciphers and protocols, visit Qualys SSL Labs SSL Pulse page.

Recommended For You