Network Security
Define Traffic to Decrypt (Strata Cloud Manager)
Table of Contents
Expand All
|
Collapse All
Network Security Docs
-
- Security Policy
-
- Security Profile Groups
- Security Profile: AI Security
- Security Profile: WildFire® Analysis
- Security Profile: Antivirus
- Security Profile: Vulnerability Protection
- Security Profile: Anti-Spyware
- Security Profile: DNS Security
- Security Profile: DoS Protection Profile
- Security Profile: File Blocking
- Security Profile: URL Filtering
- Security Profile: Data Filtering
- Security Profile: Zone Protection
-
- Policy Object: Address Groups
- Policy Object: Regions
- Policy Object: Traffic Objects
- Policy Object: Applications
- Policy Object: Application Groups
- Policy Object: Application Filter
- Policy Object: Services
- Policy Object: Auto-Tag Actions
- Policy Object: Devices
-
- Uses for External Dynamic Lists in Policy
- Formatting Guidelines for an External Dynamic List
- Built-in External Dynamic Lists
- Configure Your Environment to Access an External Dynamic List
- Configure your Environment to Access an External Dynamic List from the EDL Hosting Service
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Policy Object: HIP Objects
- Policy Object: Schedules
- Policy Object: Quarantine Device Lists
- Policy Object: Dynamic User Groups
- Policy Object: Custom Objects
- Policy Object: Log Forwarding
- Policy Object: Authentication
- Policy Object: Decryption Profile
- Policy Object: Packet Broker Profile
-
-
-
- The Quantum Computing Threat
- How RFC 8784 Resists Quantum Computing Threats
- How RFC 9242 and RFC 9370 Resist Quantum Computing Threats
- Support for Post-Quantum Features
- Post-Quantum Migration Planning and Preparation
- Best Practices for Resisting Post-Quantum Attacks
- Learn More About Post-Quantum Security
-
-
-
- Investigate Reasons for Decryption Failure
- Identify Weak Protocols and Cipher Suites
- Troubleshoot Version Errors
- Troubleshoot Unsupported Cipher Suites
- Identify Untrusted CA Certificates
- Repair Incomplete Certificate Chains
- Troubleshoot Pinned Certificates
- Troubleshoot Expired Certificates
- Troubleshoot Revoked Certificates
Define Traffic to Decrypt (Strata Cloud Manager)
- Log in to Strata Cloud Manager.
- Add a new decryption policy rule.
- Select Manage Configuration NGFW and Prisma Access Security Services Decryption.
- In the Decryption Policies section, click Add Rule.
- Provide basic information to identify the rule.
- Enter a descriptive Name.
- (Optional) Enter a Description of the rule.
- (Optional) Select a Position.
- (Optional) Select Tags.
- Specify match criteria based on network and policy objects.A rule only applies to traffic that matches all specified criteria.
- Configure the following Source and Destination settings to enforce traffic based on its origin or where it terminates:
- Zones—Click Add Zones, then select existing Zones (for example, Internet), or click the down arrow and select Any Zone. You can also create a zone.
- Addresses—Click Add Addresses, then select existing Addresses, or click the down arrow and select Any Address. You can also add Address Groups, External Dynamic Lists, and Regions, or (Destination section) SaaS Application Endpoints.To exclude Address objects from decryption:
- Specify at least one address, address group, external dynamic list, or region.
- Select Exclude (Negate).
- Users—Click Add User Groups or Add Users, then select existing user groups or local users, or click Add Local User Groups or Add Local Users to create new user groups or users.You can also decrypt traffic for Any User or certain types of users: Match pre-logon (users who are connected to GlobalProtect but are not yet logged in), Match known-user, or Match unknown.
- Devices—Click Add Device Profiles or (Source section) Add HIP Profiles, then select existing profiles or in the case of HIP Profiles, create a Host Information profile. You can also select Any or Match no-hip.
- Configure Services and URLs settings to match traffic based on service (port and protocols) or URL categories:
- Service Entities—Click Add Services or Add Service Groups, then either select existing services or service groups or click Create New to create a new entity.By default, decryption policy rules decrypt any traffic on TCP and UDP ports. However, you can click the down arrow and select Any Service, if necessary. To match applications on the default application ports, click the down arrow and select application-default.The application-default setting can be useful when you create a policy-based decryption exclusion. You can exclude applications running on their default ports from decryption, while continuing to decrypt the same applications if they are detected on nonstandard ports.
- URL Category Entities—Click Add URL Categories, then select existing URL categories or click Create New. To apply the rule to any URL category, click the down arrow and select Any URL Category. You can also Add External Dynamic Lists and SaaS Application Endpoints. To create a new external dynamic list while configuring the rule, click Create New.
- Specify how traffic that matches the rule is handled.
- In the Action and Advanced Inspection section, for Action, select either Decrypt or Do Not Decrypt.If you selected Decrypt, select a decryption Type:
- SSL Inbound Inspection. Then, Add one or more Certificates for the internal server you want to protect. Decryption policy rules for SSL Inbound Inspection support a maximum of 12 certificates.You can decrypt SSL/TLS traffic bound for an internal server that hosts multiple domains, each domain with its own certificate. The NGFW negotiates SSL/TLS connections using the certificate in your policy rule that matches the one the server presents for the requested URL.To update certificates for protected internal servers without incurring downtime, renew or obtain a new server certificate before it expires or otherwise becomes invalid. Then, import the certificate and private key onto your NGFW or Strata Cloud Manager, add it to an SSL Inbound Inspection policy rule before installing the same certificate onto your web server. Updating your policy rule with a new certificate while another is active on your web server prepares the NGFW to decrypt traffic to the server regardless of the certificate in use. Configure SSL Inbound Inspection describes this process further.
- (Optional) Enforce TLS and Certificate Validation.
- (Optional) Apply a decryption profile to block and control various aspects of traffic governed by the decryption policy rule.Although optional, always apply a decryption profile to decryption policy rules to protect your network against encrypted threats. You can’t protect yourself against threats you can’t see.For SSL decryption, you can define the TLS protocol versions, key exchange algorithms, encryption algorithms, and authentication algorithms allowed for SSL Forward Proxy and SSL Inbound Inspection connections. You can also block sessions with weak protocol versions, expired certificates, and other options.The profile settings the NGFW applies to matching traffic depends on the policy rule action (Decrypt or Do Not Decrypt) and decryption type (SSL Forward Proxy and SSL Inbound Inspection). This allows you to use the different decryption profiles with different types of decryption policy rules that apply to different types of traffic and users.
- Create or modify a decryption profile if you haven't already.
- Under Action and Advanced Inspection, select a Decryption Profile.
- Configure decryption logging.You can log successful and unsuccessful TLS handshakes and configure external log forwarding.
- Save the decryption policy rule.
- Click Push Config to begin enforcing the rule.
- Test your decryption configuration, and make any necessary adjustments based on your findings.
- Choose your next step:
- Configure SSL Forward Proxy.
- Configure SSL Inbound Inspection.
- Create policy-based decryption exclusions for traffic you choose not to decrypt.
- Add sites that break decryption for technical reasons such as pinned certificates or mutual authentication to the SSL decryption exclusion list.