Decrypt Traffic for Full Visibility and Threat Inspection

The best practice security policy dictates that you decrypt all traffic except sensitive categories, which include Health, Finance, Government, and other traffic that you don’t decrypt for business, legal, or regulatory reasons.
Use decryption exceptions only where required, and be precise to ensure that you are limiting the exception to a specific application or user based on need only:
  • If decryption breaks an important application, create an exception for the specific IP address, domain, or common name in the certificate associated with the application.
  • If a specific user needs to be excluded for regulatory, business, or legal reasons, create an exception for just that user.
To ensure that certificates presented during decryption are valid, configure the firewall to perform CRL/OCSP checks.
Best practice Decryption policy rules include a strict Decryption Profile. Before you configure SSL Forward Proxy, create a best practice Decryption Profile (
Objects
Decryption Profile
) to attach to your Decryption policy rules, and follow general decryption best practices:
  1. Configure the
    SSL Decryption
    SSL Forward Proxy
    settings to block exceptions during TLS negotiation and block sessions that can’t be decrypted:
    decryption-profile-forward-proxy-igw-bp.png
    Block sessions if resources not available
    prevents allowing potentially dangerous connections but may affect the user experience.
  2. Configure the
    SSL Decryption
    SSL Protocol Settings
    to block use of vulnerable SSL/TLS versions (TLSv1.0, TLSv1.1, and SSLv3) and to avoid weak algorithms (MD5, RC4, and 3DES):
    decryption-profile-protocol-settings-chacha.png
    Use TLSv1.3 (the most secure protocol) when you can. Be aware that many mobile applications use certificate pinning that prevents decryption and causes the firewall to drop traffic, so for that traffic, be sure to use TLSv1.2.
    Review the sites you need to access for business purposes. If any of them use TLSv1.1, then create a separate Decryption policy and profile for those sites so that only those sites you require for business can use the less secure protocol.
    The same is true about the SHA1 authentication algorithm—if you can use the more secure algorithm such as SHA256 or SHA384, do it. If only a few sites that you need for business purposes use SHA1, create a separate Decryption policy and profile for them.
  3. For traffic that you are not decrypting, configure the
    No Decryption
    settings to block encrypted sessions to sites with expired certificates or untrusted issuers:
    no-decryption-profile-bp-new-skin.png
    Only use a No Decryption profile for TLSv1.2 and earlier versions. Do not attach a No Decryption profile to TLSv1.3 traffic that you don’t decrypt. TLSv1.3 encrypts certificate information that was not encrypted in previous versions, so the firewall cannot block sessions based on certificate information.

Recommended For You