Follow Post-Deployment SSL Decryption Best Practices

SSL Decryption post-deployment best practices ensure that decryption is functioning as expected and help you maintain the deployment.
After you deploy decryption, ensure that everything is working as expected and take steps to ensure that it keeps working as expected.
  1. Verify that decryption works as expected.
  2. Measure firewall performance to ensure that it’s within acceptable norms and so that you understand the effect of decryption on performance.
    If you want to decrypt more traffic than firewall resources support, scale up so that you have enough resources to decrypt all of the traffic you want to decrypt and secure your network.
  3. Educate new employees as you hire them so that they understand your decryption policy and won’t be surprised if they can’t reach a particular site because it uses weak cipher suites.
  4. Periodically review and update Decryption policies and profiles.
  5. Use decryption troubleshooting tools such as the Application Command Center’s
    SSL Activity
    widgets and the Decryption log (
    ) to monitor decryption traffic and solve decryption issues.
    Decryption troubleshooting workflow examples show you how to use the tools to investigate issues.
  6. When you need to change the certificate on a server for which the firewall performs SSL Inbound Inspection, add the new certificate to the Decryption policy rule for that server before you make the change on the server. Decryption policy rules support multiple server certificates, so you can keep the old certificate and also add the new certificate to the rule. This avoids any interruption in decryption due to changing the certificate on the server when the firewall only has the old certificate. Adding the new server certificate to the Decryption policy rule ensures that when you change the certificate on the server, the firewall has the right certificate to continue decrypting traffic seamlessly.
    Be sure to remove invalid certificates from Decryption policy rules and from the firewall after you change server certificates.
  7. Use Palo Alto Networks documentation and other resources to learn more about Decryption and to look up information:
    • The PAN-OS Administrator’s Guide provides detailed information about Palo Alto Networks next-generation firewalls.
    • Palo Alto Networks Live community has a Decryption Resource List of articles about decryption configuration, setup, and administration.
    • To find missing intermediate certificates, visit SSL Labs (Qualys).
    • To find out which cipher suites a server supports, visit Qualys SSL Labs server SSL test page.
    • To check up-to-date statistics on the percentages of different ciphers and protocols in use on the 150,000 most popular sites in the world so you can see trends and understand how widespread worldwide support is for more secure ciphers and protocols, visit Qualys SSL Labs SSL Pulse page.

Recommended For You