Network Security
Decryption Policy Rules
Table of Contents
Expand All
|
Collapse All
Network Security Docs
-
- Security Policy
-
- Security Profile Groups
- Security Profile: AI Security
- Security Profile: WildFire® Analysis
- Security Profile: Antivirus
- Security Profile: Vulnerability Protection
- Security Profile: Anti-Spyware
- Security Profile: DNS Security
- Security Profile: DoS Protection Profile
- Security Profile: File Blocking
- Security Profile: URL Filtering
- Security Profile: Data Filtering
- Security Profile: Zone Protection
-
- Policy Object: Address Groups
- Policy Object: Regions
- Policy Object: Traffic Objects
- Policy Object: Applications
- Policy Object: Application Groups
- Policy Object: Application Filter
- Policy Object: Services
- Policy Object: Auto-Tag Actions
- Policy Object: Devices
-
- Uses for External Dynamic Lists in Policy
- Formatting Guidelines for an External Dynamic List
- Built-in External Dynamic Lists
- Configure Your Environment to Access an External Dynamic List
- Configure your Environment to Access an External Dynamic List from the EDL Hosting Service
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Policy Object: HIP Objects
- Policy Object: Schedules
- Policy Object: Quarantine Device Lists
- Policy Object: Dynamic User Groups
- Policy Object: Custom Objects
- Policy Object: Log Forwarding
- Policy Object: Authentication
- Policy Object: Decryption Profile
- Policy Object: Packet Broker Profile
-
-
-
- The Quantum Computing Threat
- How RFC 8784 Resists Quantum Computing Threats
- How RFC 9242 and RFC 9370 Resist Quantum Computing Threats
- Support for Post-Quantum Features
- Post-Quantum Migration Planning and Preparation
- Best Practices for Resisting Post-Quantum Attacks
- Learn More About Post-Quantum Security
-
-
-
- Investigate Reasons for Decryption Failure
- Identify Weak Protocols and Cipher Suites
- Troubleshoot Version Errors
- Troubleshoot Unsupported Cipher Suites
- Identify Untrusted CA Certificates
- Repair Incomplete Certificate Chains
- Troubleshoot Pinned Certificates
- Troubleshoot Expired Certificates
- Troubleshoot Revoked Certificates
Decryption Policy Rules
Decryption policy rules dictate how NGFW and Prisma Access decrypt traffic and are
the basis of a decryption policy.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
No requirements.
|
Decryption policy rules define how Next-Generation Firewalls (NGFW) and Prisma Access handle encrypted traffic. These rules specify criteria for traffic
that is or isn't decrypted and the type of decryption performed on this traffic. One or
more decryption policy rules form a decryption policy. You can specify decryption
criteria using network and policy objects. For example, you can decrypt
traffic from specific users, URL categories, or specific sources or destinations. The
types of traffic subject to decryption or the enforcement of decryption policy rules
include SSL/TLS traffic (including SSL-encapsulated protocols like IMAP(S), POP3(S),
SMTP(S), and FTP(S)) and SSH traffic, whether incoming or outgoing from your network.
NGFW and Prisma Access support three types of decryption: SSL Forward
Proxy, SSL Inbound Inspection, and SSH Proxy.
SSH Proxy is not supported by Strata Cloud Manager.
The settings in a decryption policy rule allow for precise application of rules to
different users, groups, segments. For example, you can decrypt traffic to certain URL
categories involving certain zones when a certain user is requesting resources. In
summary, creating decryption policy rules that match traffic based on these criteria
allows you to implement highly effective and efficient security measures.
Components of a Decryption Policy Rule
Decryption policy rules enable you to specify the traffic you want to decrypt
based on destination, source, service, or URL category. You also define how you
want to decrypt that traffic, by applying a decryption profile with
additional settings, for example, and log settings. Each setting type
corresponds to a different area of the interface, which may have slightly different
names depending on your management platform:
- Source
- Destination
- Service/URL Category (or Services and URLs)
- Options (or Action and Advanced Inspection)
- Log Settings
By specifying traffic based on IP addresses, ports, and protocols, and other
characteristics you can optimize the use of decryption resources, providing an
additional layer of protection where it's most needed.
General
In this section, enter basic information about the decryption policy rule,
including the Name and Description
(helpful for differentiating between rules or various users). You can also add
Tags, and depending on your management platform,
group rules by tags, add audit comments, and view audit comments.
Source
Enforce traffic based on its origin. In this section, specify the source
zone or source address that defines the incoming source traffic to which the
decryption policy rule will apply. Select or Add a Zone,
Addresses–Source Address, Address Groups, External Dynamic
Lists, Regions, Users–User Groups and Users, or
Devices, including HIP Profiles and Device Profiles.
For more information on zones, see Segment Your Network Using Interfaces and
Zones.
Destination
Enforce traffic based on where it terminates. In this section, specify the
destination zone or destination address of the traffic to which the rule will
apply. You can add Zones and
Addresses–Source Address, Address Groups, External
Dynamic Lists, Regions, and SaaS Application Endpoints.
Service/URL Category (Services and URLs)
Apply a rule based on service (port and protocols) and URL categories. In
this section, define Service Entities–Services and
Service Groups and URL Category
Entities–URL Categories, External Dynamic
Lists, and SaaS Application Endpoints.
You can exclude a certain website or category of websites or applications from
decryption using a predefined or custom URL category. Services correspond to
the TCP and UDP port numbers used by the service.
Options (Action and Advanced Inspection)
Choose whether to decrypt the traffic that matches a decryption policy rule
and specify the type of decryption you want to enable. In this section,
specify the type of decryption the rule performs (Action
or Type). For traffic you choose not to decrypt, you can
Enforce TLS and Certificate Validation. You can also
configure decryption log settings (if not Strata Cloud Manager), described more
in
Log Settings
, and use a decryption profile to
block and control certain aspects of the traffic matching the rule it's applied
to. For example, you can use a decryption profile to perform checks and
verification on sessions, certificates, and protocol versions.Log Settings
In NGFW deployments not managed by Strata Cloud Manager, this information is configured in the Options section
of the configuration.
In this section, enable the logging of successful or unsuccessful handshakes and
configure External Log Forwarding. Decryption logs save
locally if an external forwarding option isn't selected. You must also have a
license for the forwarding service. For more information about decryption
logging, see Configure Decryption Logging.
Decryption Policy Rule Considerations
Consider that you can't block traffic that you don't inspect, and you don't want to
block legitimate traffic just because you don't have a well thought out decryption
policy. The traffic you decide to decrypt is as important as the traffic you decide
not to decrypt. Can you identify legitimate reasons to decrypt or not to decrypt
certain traffic? Legitimate reasons for decrypting or not decrypting certain traffic
may include:
- Regulatory compliance requirements
- Privacy concerns
- Performance considerations
- Specific security needs
A Zero Trust perspective advocates inspecting all traffic for malware and other
threats. Various controls are available to implement this approach effectively while
respecting the above requirements.
- Identifies and prioritizes the traffic you want to decrypt. This helps you to address resource consumption concerns and decryption efficiency. For example, you can focus on traffic to and from specific users or groups.
- Identifies traffic that you don't want to decrypt, such as that of business executives.
- Recognizes traffic that can't be decrypted for technical reasons such as a pinned certificate.
Use the Planning a Decryption Deployment chapter and the Decryption Best Practices guide as a
resource when deciding the traffic you want to decrypt and how you go about
decrypting.
- Plan to decrypt as much nonprivate and nonsensitive traffic as your NGFW and Prisma Access resources permit. This reduces the attack surface by exposing and preventing encrypted threats.
- Develop a decryption deployment strategy in collaboration with legal, finance, HR, executives, security, IT, and other stakeholders.
Make Policy Rules As Specific and General As Needed and Order Them
Appropriately. Many Palo Alto Networks services rely on decryption and
decryption policy rules. It's important to make sure that these rules are as
specific or general as needed and ordered appropriately.
- Decryption policy rules are evaluated from top to bottom. Place specific rules before more general rules.
- Place rules that exclude traffic from decryption at the top. Decryption policy rules are compared against the traffic in sequence.
- For granular control over how the traffic is decrypted, such as invoking checks for server certificates, unsupported modes, and failures, configure a decryption profile and attach it to a decryption policy rule.
Exclude Certain Traffic from Decryption.
- Create a no-decrypt decryption policy rule for traffic that you choose not to decrypt because of business, legal, regulatory, personal, or other reasons, such as financial-services, health-and-medicine, or government traffic.
- For traffic that breaks decryption for technical reasons, such as certificate pinning add the server to the SSL Decryption Exclusion list.
Deploy SSL Decryption Using Best Practices
provides additional insights.