Network Security
Apply Granular Settings to Traffic Matching a Decryption Policy Rule (PAN-OS & Panorama)
Table of Contents
Expand All
|
Collapse All
Network Security Docs
-
- Security Policy
-
- Security Profile Groups
- Security Profile: AI Security
- Security Profile: WildFire® Analysis
- Security Profile: Antivirus
- Security Profile: Vulnerability Protection
- Security Profile: Anti-Spyware
- Security Profile: DNS Security
- Security Profile: DoS Protection Profile
- Security Profile: File Blocking
- Security Profile: URL Filtering
- Security Profile: Data Filtering
- Security Profile: Zone Protection
-
- Policy Object: Address Groups
- Policy Object: Regions
- Policy Object: Traffic Objects
- Policy Object: Applications
- Policy Object: Application Groups
- Policy Object: Application Filter
- Policy Object: Services
- Policy Object: Auto-Tag Actions
- Policy Object: Devices
-
- Uses for External Dynamic Lists in Policy
- Formatting Guidelines for an External Dynamic List
- Built-in External Dynamic Lists
- Configure Your Environment to Access an External Dynamic List
- Configure your Environment to Access an External Dynamic List from the EDL Hosting Service
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Policy Object: HIP Objects
- Policy Object: Schedules
- Policy Object: Quarantine Device Lists
- Policy Object: Dynamic User Groups
- Policy Object: Custom Objects
- Policy Object: Log Forwarding
- Policy Object: Authentication
- Policy Object: Decryption Profile
- Policy Object: Packet Broker Profile
-
-
-
- The Quantum Computing Threat
- How RFC 8784 Resists Quantum Computing Threats
- How RFC 9242 and RFC 9370 Resist Quantum Computing Threats
- Support for Post-Quantum Features
- Post-Quantum Migration Planning and Preparation
- Best Practices for Resisting Post-Quantum Attacks
- Learn More About Post-Quantum Security
-
-
-
- Investigate Reasons for Decryption Failure
- Identify Weak Protocols and Cipher Suites
- Troubleshoot Version Errors
- Troubleshoot Unsupported Cipher Suites
- Identify Untrusted CA Certificates
- Repair Incomplete Certificate Chains
- Troubleshoot Pinned Certificates
- Troubleshoot Expired Certificates
- Troubleshoot Revoked Certificates
Apply Granular Settings to Traffic Matching a Decryption Policy Rule (PAN-OS & Panorama)
- Create a new decryption profile.Select ObjectsDecryption Profile, Add or modify a decryption profile rule, and give the rule a descriptive Name.
- (Optional) Allow the profile rule to be Shared across every virtual system on an NGFW or every Panorama device group.
- (Decryption Mirroring Only) Enable an Ethernet Interface to use to copy and forward decrypted traffic.Separate from this task, follow the steps to configure Decryption Port Mirroring. Be aware of local privacy regulations that prohibit mirroring or control the type of traffic that you can mirror. Decryption Port Mirroring requires a Decryption Port Mirroring license.
- (Optional) Block and control SSL tunneled or inbound traffic:Select SSL Decryption:
- Select SSL Forward Proxy to configure the settings to verify certificates, enforce protocol versions and cipher suites, and perform failure checks on SSL decrypted traffic. These settings are active only when this profile is attached to a decryption policy rule configured to perform SSL Forward Proxy decryption.
- Select SSL Inbound Inspection to configure the settings to enforce protocol versions and cipher suites and to perform failure checks on inbound SSL traffic. These settings are active only when this profile is attached to a decryption policy rule that performs SSL Inbound Inspection.
- Select SSL Protocol Settings to configure the settings that control minimum and maximum protocol versions and key exchange, encryption, and authentication algorithms to enforce on decrypted SSL traffic. These settings are active when this profile is attached to decryption policy rules that control SSL Forward Proxy or SSL Inbound Inspection.
If a NGFW is in FIPS-CC mode and managed by a Panorama™ management server in standard mode, a decryption profile must be created locally on the NGFW. Decryption profiles created on Panorama in standard mode contain references to 3DES and RC4 encryption algorithms and the MD5 authentication algorithm, which are not supported on NGFWs and cause pushes to the managed NGFW to fail. - (Optional) Block and control traffic (for example, a URL category) for which you choose to create a policy-based decryption exclusion.These settings are active only when the decryption profile is attached to a decryption policy rule that disables decryption for certain traffic.Create policy-based exclusions only for traffic that you choose not to decrypt. If a server breaks decryption for technical reasons, add the server to the SSL Decryption Exclusion list(DeviceCertificate ManagementSSL Decryption Exclusion) instead.
- Select No Decryption to configure a decryption profile of no-decryption type.
- Select Block sessions with expired certificates and Block sessions with untrusted issuers to validate certificates for traffic excluded from decryption.
- (Optional) Block and control decrypted SSH traffic.Select SSH Proxy to configure an SSH Proxy profile, and configure settings to enforce supported protocol versions and to block sessions if system resources are not available to perform decryption.These settings are active only when the decryption profile is attached to a decryption policy rule that decrypts SSH traffic.
- To enforce decryption profile settings, apply the profile to a decryption policy rule.
- Commit your configuration.