Apply Granular Settings to Traffic Matching a Decryption Policy Rule (PAN-OS & Panorama)
Focus
Focus
Network Security

Apply Granular Settings to Traffic Matching a Decryption Policy Rule (PAN-OS & Panorama)

Table of Contents


Apply Granular Settings to Traffic Matching a Decryption Policy Rule (PAN-OS & Panorama)

  1. Create a new decryption profile.
    Select ObjectsDecryption Profile, Add or modify a decryption profile rule, and give the rule a descriptive Name.
  2. (Optional) Allow the profile rule to be Shared across every virtual system on an NGFW or every Panorama device group.
  3. (Decryption Mirroring Only) Enable an Ethernet Interface to use to copy and forward decrypted traffic.
    Separate from this task, follow the steps to configure Decryption Port Mirroring. Be aware of local privacy regulations that prohibit mirroring or control the type of traffic that you can mirror. Decryption Port Mirroring requires a Decryption Port Mirroring license.
  4. (Optional) Block and control SSL tunneled or inbound traffic:
    Select SSL Decryption:
    • Select SSL Forward Proxy to configure the settings to verify certificates, enforce protocol versions and cipher suites, and perform failure checks on SSL decrypted traffic. These settings are active only when this profile is attached to a decryption policy rule configured to perform SSL Forward Proxy decryption.
    • Select SSL Inbound Inspection to configure the settings to enforce protocol versions and cipher suites and to perform failure checks on inbound SSL traffic. These settings are active only when this profile is attached to a decryption policy rule that performs SSL Inbound Inspection.
    • Select SSL Protocol Settings to configure the settings that control minimum and maximum protocol versions and key exchange, encryption, and authentication algorithms to enforce on decrypted SSL traffic. These settings are active when this profile is attached to decryption policy rules that control SSL Forward Proxy or SSL Inbound Inspection.
    If a NGFW is in FIPS-CC mode and managed by a Panorama™ management server in standard mode, a decryption profile must be created locally on the NGFW. Decryption profiles created on Panorama in standard mode contain references to 3DES and RC4 encryption algorithms and the MD5 authentication algorithm, which are not supported on NGFWs and cause pushes to the managed NGFW to fail.
  5. (Optional) Block and control traffic (for example, a URL category) for which you choose to create a policy-based decryption exclusion.
    These settings are active only when the decryption profile is attached to a decryption policy rule that disables decryption for certain traffic.
    Create policy-based exclusions only for traffic that you choose not to decrypt. If a server breaks decryption for technical reasons, add the server to the SSL Decryption Exclusion list(DeviceCertificate ManagementSSL Decryption Exclusion) instead.
    1. Select No Decryption to configure a decryption profile of no-decryption type.
    2. Select Block sessions with expired certificates and Block sessions with untrusted issuers to validate certificates for traffic excluded from decryption.
  6. (Optional) Block and control decrypted SSH traffic.
    Select SSH Proxy to configure an SSH Proxy profile, and configure settings to enforce supported protocol versions and to block sessions if system resources are not available to perform decryption.
    These settings are active only when the decryption profile is attached to a decryption policy rule that decrypts SSH traffic.
  7. To enforce decryption profile settings, apply the profile to a decryption policy rule.
  8. Commit your configuration.