Network Security
Apply Granular Settings to Traffic Matching a Decryption Policy Rule (Strata Cloud Manager)
Table of Contents
Expand All
|
Collapse All
Network Security Docs
-
- Security Policy
-
- Security Profile Groups
- Security Profile: AI Security
- Security Profile: WildFire® Analysis
- Security Profile: Antivirus
- Security Profile: Vulnerability Protection
- Security Profile: Anti-Spyware
- Security Profile: DNS Security
- Security Profile: DoS Protection Profile
- Security Profile: File Blocking
- Security Profile: URL Filtering
- Security Profile: Data Filtering
- Security Profile: Zone Protection
-
- Policy Object: Address Groups
- Policy Object: Regions
- Policy Object: Traffic Objects
- Policy Object: Applications
- Policy Object: Application Groups
- Policy Object: Application Filter
- Policy Object: Services
- Policy Object: Auto-Tag Actions
- Policy Object: Devices
-
- Uses for External Dynamic Lists in Policy
- Formatting Guidelines for an External Dynamic List
- Built-in External Dynamic Lists
- Configure Your Environment to Access an External Dynamic List
- Configure your Environment to Access an External Dynamic List from the EDL Hosting Service
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Policy Object: HIP Objects
- Policy Object: Schedules
- Policy Object: Quarantine Device Lists
- Policy Object: Dynamic User Groups
- Policy Object: Custom Objects
- Policy Object: Log Forwarding
- Policy Object: Authentication
- Policy Object: Decryption Profile
- Policy Object: Packet Broker Profile
-
-
-
- The Quantum Computing Threat
- How RFC 8784 Resists Quantum Computing Threats
- How RFC 9242 and RFC 9370 Resist Quantum Computing Threats
- Support for Post-Quantum Features
- Post-Quantum Migration Planning and Preparation
- Best Practices for Resisting Post-Quantum Attacks
- Learn More About Post-Quantum Security
-
-
-
- Investigate Reasons for Decryption Failure
- Identify Weak Protocols and Cipher Suites
- Troubleshoot Version Errors
- Troubleshoot Unsupported Cipher Suites
- Identify Untrusted CA Certificates
- Repair Incomplete Certificate Chains
- Troubleshoot Pinned Certificates
- Troubleshoot Expired Certificates
- Troubleshoot Revoked Certificates
Apply Granular Settings to Traffic Matching a Decryption Policy Rule (Strata Cloud Manager)
- Create a decryption profile.Select Manage Configuration Security Services Decryption. Under Decryption Profiles, click Add Profile.
- Enter a descriptive Name for the profile.
- Configure Handshake Settings.
- Select a Protocol Min Version: SSLv3.0, TLSv1.0 through TLSv1.3.
- Select a Protocol Max Version: SSLv3.0, TLSv1.0 through TLSv1.3, and Max.
- Add or Remove Key Exchange Algorithms.To remove an algorithm, select the algorithm and then click Remove.
- Add or Remove Encryption Algorithms.
- Add or Remove Authentication Algorithms.
- (Optional) Configure settings to verify certificates, enforce protocol versions and cipher suites, and perform failure checks on SSL Forward Proxy traffic.If the NGFW is in FIPS-CC mode and managed by a Panorama™ management server in standard mode, a decryption profile must be created locally on the NGFW. Decryption profiles created on Panorama in standard mode contain references to 3DES and RC4 encryption algorithms and MD5 authentication algorithm that are not supported and cause pushes to the managed NGFW to fail.
- For Server Certificate Verification, select Block sessions with expired certificates or Block sessions with untrusted issuer
- For Unsupported Mode Checks, select Block sessions with unsupported version or Block sessions with unsupported cipher suite.
- To configure Advanced SSL Forward Proxy Settings, select Advanced.For Server Certificate Verification, you can Block sessions with unknown certificate status, Block sessions on certificate status check timeout. Restrict certificate extensions, or Append certificate's CN value to SAN extension.For Unsupported Mode Checks, you can Block sessions with client authentication.For Failure Checks, you can Block downgrade on no resource.For Client Extension, you can Strip ALPN.
- Save the settings.
- (Optional) Configure Unsupported Mode and Failure Checks for SSL Inbound Inspection.
- For Unsupported Mode Checks, select Block sessions with unsupported version or Block sessions with unsupported cipher suite.
- For Failure Checks, select Block sessions if resources not available or Block sessions if HSM not available.
- (Optional) Configure Server Certificate Verification settings for traffic that you choose not to decrypt.These settings are active only when the decryption profile is attached to a decryption policy rule that disables decryption for certain traffic.Select Block sessions with expired certificates or Block sessions with untrusted issuers to validate certificates for traffic excluded from decryption.Create policy-based exclusions only for traffic that you choose not to decrypt. If a server breaks decryption for technical reasons, add the server to the Global Decryption Exclusion list instead.
- Save the profile.
- Push Config.