Follow Post-Deployment SSL Decryption Best Practices
Expand all | Collapse all
Follow Post-Deployment SSL Decryption Best Practices
SSL Decryption post-deployment best practices ensure
that decryption is functioning as expected and help you maintain
the deployment.
After you deploy decryption, ensure that everything
is working as expected and take steps to ensure that it keeps working
as expected.
Verify that decryption works as expected.
Measure firewall performance to ensure that it’s within
acceptable norms and so that you understand the effect of decryption
on performance.
If you want to decrypt more traffic than firewall resources
support, scale up so that you have enough resources to decrypt all
of the traffic you want to decrypt and secure your network.
Educate new employees as you hire them so that they understand
your decryption policy and won’t be surprised if they can’t reach
a particular site because it uses weak cipher suites.
Periodically review and update Decryption policies and
profiles.
Use
decryption troubleshooting tools such
as the Application Command Center’s
SSL Activity
widgets
and the Decryption log ()
to monitor decryption traffic and solve decryption issues.
When you need to change the certificate on a server for
which the firewall performs
SSL Inbound Inspection,
add the new certificate to
the Decryption policy rule for that server before you make the change
on the server. Decryption policy rules support multiple server certificates,
so you can keep the old certificate and also add the new certificate
to the rule. This avoids any interruption in decryption due to changing
the certificate on the server when the firewall only has the old
certificate. Adding the new server certificate to the Decryption
policy rule ensures that when you change the certificate on the
server, the firewall has the right certificate to continue decrypting
traffic seamlessly.
Be sure to remove invalid certificates from Decryption
policy rules and from the firewall after you change server certificates.
Use Palo Alto Networks documentation and other resources
to learn more about Decryption and to look up information:
Palo Alto Networks Live community has a
Decryption Resource List of articles about
decryption configuration, setup, and administration.
To check up-to-date statistics on the percentages of different
ciphers and protocols in use on the 150,000 most popular sites in
the world so you can see trends and understand how widespread worldwide
support is for more secure ciphers and protocols, visit Qualys SSL
Labs
SSL Pulse page.