Network Security
Get Started with SSL Decryption
Table of Contents
Expand All
|
Collapse All
Network Security Docs
-
- Security Policy
-
- Security Profile Groups
- Security Profile: AI Security
- Security Profile: WildFire® Analysis
- Security Profile: Antivirus
- Security Profile: Vulnerability Protection
- Security Profile: Anti-Spyware
- Security Profile: DNS Security
- Security Profile: DoS Protection Profile
- Security Profile: File Blocking
- Security Profile: URL Filtering
- Security Profile: Data Filtering
- Security Profile: Zone Protection
-
- Policy Object: Address Groups
- Policy Object: Regions
- Policy Object: Traffic Objects
- Policy Object: Applications
- Policy Object: Application Groups
- Policy Object: Application Filter
- Policy Object: Services
- Policy Object: Auto-Tag Actions
- Policy Object: Devices
-
- Uses for External Dynamic Lists in Policy
- Formatting Guidelines for an External Dynamic List
- Built-in External Dynamic Lists
- Configure Your Environment to Access an External Dynamic List
- Configure your Environment to Access an External Dynamic List from the EDL Hosting Service
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Policy Object: HIP Objects
- Policy Object: Schedules
- Policy Object: Quarantine Device Lists
- Policy Object: Dynamic User Groups
- Policy Object: Custom Objects
- Policy Object: Log Forwarding
- Policy Object: Authentication
- Policy Object: Decryption Profile
- Policy Object: Packet Broker Profile
-
-
-
- The Quantum Computing Threat
- How RFC 8784 Resists Quantum Computing Threats
- How RFC 9242 and RFC 9370 Resist Quantum Computing Threats
- Support for Post-Quantum Features
- Post-Quantum Migration Planning and Preparation
- Best Practices for Resisting Post-Quantum Attacks
- Learn More About Post-Quantum Security
-
-
-
- Investigate Reasons for Decryption Failure
- Identify Weak Protocols and Cipher Suites
- Troubleshoot Version Errors
- Troubleshoot Unsupported Cipher Suites
- Identify Untrusted CA Certificates
- Repair Incomplete Certificate Chains
- Troubleshoot Pinned Certificates
- Troubleshoot Expired Certificates
- Troubleshoot Revoked Certificates
Get Started with SSL Decryption
Follow these steps to create a proof of concept, deploying decryption in a phased,
risk-free manner that allows you to avoid the edge cases normally seen with
decryption.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
No separate license required for decryption when using NGFWs or
Prisma Access.
Note: The features and capabilities available to you in
Strata Cloud Manager depend on your active license(s).
|
This topic intends to provide a quick and easy procedure for onboarding SSL
decryption, particularly for SSL Forward Proxy use cases. It focuses on deploying
decryption in a phased, risk-free manner enabling you to
avoid the edge cases normally seen with decryption. It does not provide best
practices for optimal decryption configuration. Your needs may vary and thus the
procedure should be used as a guide. Review Plan Your Decryption Deployment and the Decryption Best Practices guide before,
during, and after creating your proof of concept.
- Configure a “blanket” No Decrypt decryption policy rule with lenient settings, including:This will help you better understand the websites and apps your users access.
- Select Any for the following Source, Destination, and Service/URL Category settings: Source User, Source Device, Destination Address, Destination Device, Service, and URL Category.
- Select Options, and then for Action, select No Decrypt.
- Under Log Settings, select Log Successful SSL Handshake to view cryptography information in the decryption logs.
- Attach a decryption profile without any Server Certificate Verification settings selected to the no-decrypt decryption policy rule.
- Commit your changes.
- Inspect your decryption logs.Search the decryption logs for the following:
- Usage of vulnerable cryptographic protocols (for example, TLSv1.1 or earlier).To secure your network, set your decryption profile to block vulnerable ciphers.
- Expired or invalid certificate usage.
- Any errors or unexpected issues.
Prioritize the following log fields in your search: Encryption Algorithm, TLS Version, Key Exchange, Error, Server Name Indication, Certificate End Date.Refer to the Troubleshoot Decryption chapter for details on how to search through decryption logs, identify vulnerable ciphers and invalid certificates, as well as troubleshoot decryption errors. For a list of errors you might encounter in your logs and possible remediation, see Decryption Log Errors and Error Indexes. - Load or generate a CA certificate on the NGFW, Prisma Access, or management interface.Limit the use of self-signed certificates where possible; instead, use preexisting certificates that client browsers already trust.
- Identify a small group of users (5-10) in your network to test and validate a decryption proof of concept.Ideal users are familiar with the technology and are willing and able to provide feedback, such as a member of the IT organization.
- Create your proof of concept.
- Create decryption profiles using SSL decryption best practices.
- Block insecure sessions–sessions with expired certificates, untrusted issuers, unsupported versions, and unsupported cipher suites.
- Block sessions with client authentication unless an important application requires it, in which case you should create a separate decryption profile for those applications.
- Use the strongest ciphers that you can. For SSL Forward Proxy, set the minimum protocol version to TLSv1.2 and the maximum version to Max to block weak protocols. For SSL Inbound Inspection, create separate profiles that match the ciphers that your servers support.
- Create a new decryption policy rule.
- For Source User, Add the group of users who are part of the proof of concept.
- Block access to a small subset of URLs or URL categories, such as categories that Palo Alto Networks has identified as risky. Decrypting a small subset makes the rule easier to phase in.
- Create specific decryption policy rules and profiles for applications that use less secure ciphers and protocols (for example, TLSv1.1), so that the security of other application traffic isn't affected.
- Launch your proof of concept (PoC).Continuously monitor feedback and issues from your test users. For your first set of 5-10 users, we suggest running the proof of concept for at least two weeks to ensure any issues from normal network traffic arise.
- Expand your proof of concept to a larger group (100+ users).Make sure it is a diverse group; the network traffic of these users should be representative of that of the organization at large.We suggest running this for 2-4 weeks to surface any issues. You may need to account for applications used for recurring periodical events (for example, quarterly meetings).
- Refine your decryption policy rules as necessary.