Apply Granular Settings to Traffic Matching a Decryption Policy Rule (Strata Cloud Manager)

1. Create a decryption profile.

   1. Select ConfigurationSecurity ServicesDecryption.
   2. Under Decryption Profiles, click Add Profile.
   3. Enter a descriptive Name for the profile.

      Names are case-sensitive and must be unique. You can use up to 31 characters, including letters, numbers, spaces, hyphens, and underscores.
   4. (Optional, Decryption Mirroring only) Enable mirroring of decrypted traffic.

      Before enabling this feature, you must configure Decryption Port Mirroring.

      1. Select an Ethernet Interface for mirroring decrypted traffic.
      2. To mirror decrypted traffic only after Security policy rule enforcement, enable Forwarded Only.
         When enabled, the NGFW mirrors traffic after the Security policy rule lookup and just before re-encryption. If a Security policy rule drops the traffic, the NGFW does not mirror it. Enable this setting if you forward traffic to a threat detection device, such as a data loss prevention (DLP) device or an intrusion prevention system (IPS).
2. (Optional) Define TLS Handshake Settings for SSL Forward Proxy and SSL Inbound Inspection.

   1. For Protocol Min Version, select from SSLv3.0 and TLSv1.0–TLSv1.3.

      Set the Protocol Min Version to TLSv1.3.
   2. For Protocol Max Version, select from SSLv3.0, TLSv1.0–TLSv1.3, and Max.

      Set the Protocol Max Version to Max to automatically support the newest TLS version.
   3. Configure Key Exchange Algorithms.

      By default, RSA, DHE, and ECDHE are enabled.

      You can enable post-quantum cryptography (PQC) algorithms for TLSv1.3 sessions. You must enable TLSv1.3 in the Handshake Settings.

      • To configure traditional key exchange algorithms (RSA, DHE, and ECDHE), select Classical, and then enable or disable algorithms as needed.
        If you enable PQC algorithms and a client or server does not support PQC, the NGFW negotiates a mutually supported classical algorithm.
      • To configure post-quantum (PQ) key encapsulation mechanisms (KEM) for TLSv1.3 sessions:
        1. Select Post-Quantum Cryptography (PQC), and then select PQC algorithm types:
           • PQC Standard—Enables the NIST-standardized algorithm, ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism)
           • PQC Experimental—Enables nonstandardized algorithms, HQC, Bike, and Frodo-KEM
        2. For Preferred Session Settings, select the proxy sessions that prioritize PQC:
           The NGFW negotiates a PQ KEM for the selected sessions when possible. The NGFW translates between PQC and classical encryption, so it can secure one proxy session with PQC even if the other side only supports classical algorithms.
           • Post-Quantum SSL preferred for Client-side session—The firewall (acting as a server) negotiates PQC algorithms if included in the client's cipher suite list
           • Post-Quantum SSL preferred for Server-side session—The firewall (acting as a client) places PQC algorithms first in its cipher suite list
   4. Configure Encryption Algorithms.

      Enable or disable algorithms as needed.
   5. Configure Authentication Algorithms.

      By default, MD5 is blocked.

      Enable or disable algorithms as needed.
3. (Optional) Define session controls for SSL Forward Proxy.

   To configure the Failure Checks and Client Extensions settings and additional Server Certificate Verification and Unsupported Mode Checks settings, click Advanced. An Advanced SSL Forward Proxy Settings sidebar displays.

   1. For Server Certificate Verification, enable Block sessions with expired certificates or Block sessions with untrusted issuers.

      You can configure the following Advanced settings:

      • Block sessions with unknown certificate status
      • Block sessions on certificate status check timeout
      • Restrict certificate extensions
      • Append certificate's CN value to SAN extension
      • Automatically Fetch Intermediate Certificates
   2. For Unsupported Mode Checks, enable Block sessions with unsupported versions or Block sessions with unsupported cipher suites.

      You can configure the Advanced setting: Block sessions with client authentication.
   3. For Bypass Checks, enable Bypass Server Certificate Verification.

      If you enable Bypass Server Certificate Verification, the NGFW does not perform any other server certificate checks.
   4. (Optional) To configure Failure Checks and Client Extension settings:

      1. Select Advanced.
      2. (Optional) For Failure Checks, enable Block downgrade on no resource.
      3. (Optional) For Client Extension, enable Strip ALPN.
      4. Save the Advanced SSL Forward Proxy Settings.
4. (Optional) Define session controls for SSL Inbound Inspection.

   1. For Unsupported Mode Checks, enable Block sessions with unsupported versions or Block sessions with unsupported cipher suites.
   2. For Failure Checks, enable Block sessions if resources not available or Block sessions if HSM not available.
5. (Optional) Define session controls for traffic you do not decrypt.

   For Server Certificate Verification, select Block sessions with expired certificates or Block sessions with untrusted issuers.

   Apply no-decryption profiles to decryption policy rules that control traffic excluded from decryption for compliance, legal, and nontechnical reasons. If a server breaks decryption for technical reasons, add it to the Global Decryption Exclusion list instead.
6. Save the profile.
7. Apply the profile to the appropriate decryption policy rules.
8. Commit your changes.

   Click Push ConfigPush.