Follow Post-Deployment SSL Decryption Best Practices

SSL Decryption post-deployment best practices ensure that decryption is functioning as expected and help you maintain the deployment.
After you deploy decryption, ensure that everything is working as expected and take steps to ensure that it keeps working as expected.
  1. Verify that decryption works as expected.
  2. Measure firewall performance to ensure that it’s within acceptable norms and so that you understand the effect of decryption on performance.
    If you want to decrypt more traffic than your firewall resources support, the best practice is to scale up the resources so that you have enough to decrypt everything you want to decrypt and secure the network.
  3. Educate new employees as you hire them so that they understand your decryption policy and won’t be surprised.
  4. Periodically review, and if necessary, update Decryption policies and profiles.
  5. Use Palo Alto Networks documentation and other resources to learn more about Decryption and to look up information:
    • The PAN-OS 9.0 Administrator’s Guide provides detailed information about Palo Alto Networks next-generation firewalls.
    • Palo Alto Networks Live community has a Decryption Resource List of articles about decryption configuration, setup, and administration.
    • To find missing intermediate certificates, visit SSL Labs (Qualys).
    • To find out which cipher suites a server supports, visit Qualys SSL Labs server SSL test page.
    • To check up-to-date statistics on the percentages of different ciphers and protocols in use on the 150,000 most popular sites in the world so you can see trends and understand how widespread worldwide support is for more secure ciphers and protocols, visit Qualys SSL Labs SSL Pulse page.

Related Documentation