1. Home
    2. Best Practices
    3. Internet Gateway Best Practice Security Policy
    4. Best Practice Internet Gateway Security Policy
    5. Decrypt Traffic for Full Visibility and Threat Inspection

    Decrypt Traffic for Full Visibility and Threat Inspection

    The best practice security policy dictates that you decrypt all traffic except sensitive categories, which include Health, Finance, Government, Military, and Shopping.
    Use decryption exceptions only where required, and be precise to ensure that you are limiting the exception to a specific application or user based on need only:
    • If decryption breaks an important application, create an exception for the specific IP address, domain, or common name in the certificate associated with the application.
    • If a specific user needs to be excluded for regulatory or legal reasons, create an exception for just that user.
    To ensure that certificates presented during SSL decryption are valid, configure the firewall to perform CRL/OCSP checks.
    Best practice Decryption policy rules include a strict Decryption Profile. Before you configure SSL Forward Proxy, create a best practice Decryption Profile (ObjectsDecryption Profile) to attach to your Decryption policy rules:
    1. Configure the SSL DecryptionSSL Forward Proxy settings to block exceptions during SSL negotiation and block sessions that can’t be decrypted:
      decryption-profile-bp1.png
    2. Configure the SSL DecryptionSSL Protocol Settings to block use of vulnerable SSL/TLS versions (TLS 1.0 and SSLv3) and to avoid weak algorithms (MD5, RC4, and 3DES):
      decryption-profile-bp2.png
    3. For traffic that you are not decrypting, configure the No Decryption settings to block encrypted sessions to sites with expired certificates or untrusted issuers:
      decryption-profile-bp3.png

    Related Documentation

    Create a Decryption Profile

    Attach Decryption profiles to Decryption policy rules to control the protocol versions, algorithms, verification checks, and session checks the firewall accepts for the traffic defined ...

    Create a Decryption Policy Rule

    Decryption policy rules granularly define the traffic to decrypt or not to decrypt based on the source, destination, service (application port), and URL Category. ...

    Configure SSL Inbound Inspection

    SSL Inbound Inspection decryption enables the firewall to see potential threats in inbound encrypted traffic destined for your servers and apply security protections against those ...

    Configure SSH Proxy

    SSH Proxy decryption requires no certificates and decrypts inbound and outbound SSH sessions and ensures that attackers can’t use SSH to tunnel potentially malicious applications ...

    Decryption

    You can’t protect yourself against threats you can’t see. Decrypt traffic to reveal encrypted threats so the firewall can protect your network against them. ...

    Create a Policy-Based Decryption Exclusion

    Exclude traffic that you choose not to decrypt for legal, privacy, or business reasons from decryption to comply with those policies while still applying SSL ...

    Deploy SSL Decryption Using Best Practices

    Following SSL Decryption deployment best practices help to ensure a smooth, prioritized rollout and that you decrypt the traffic you need to decrypt to safeguard ...

    Create User-to-Data-Center Decryption Policy Rules

    Create rules that decrypt user traffic flowing to the data center so you can inspect the traffic and protect your most valuable assets against malware ...

    SSL Forward Proxy Decryption Profile

    The SSL Forward Proxy Decryption profile blocks risky outbound sessions, verifies certificates, and provides session failure checks. ...

    Create the Data Center Best Practice Decryption Profiles

    Decryption Profiles define the SSL Protocol settings the firewall accepts so you can protect against vulnerable, weak protocols and algorithms. ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo