Network Security
Plan Your Decryption Deployment
Table of Contents
Expand All
|
Collapse All
Network Security Docs
-
- Security Policy
-
- Security Profile Groups
- Security Profile: AI Security
- Security Profile: WildFire® Analysis
- Security Profile: Antivirus
- Security Profile: Vulnerability Protection
- Security Profile: Anti-Spyware
- Security Profile: DNS Security
- Security Profile: DoS Protection Profile
- Security Profile: File Blocking
- Security Profile: URL Filtering
- Security Profile: Data Filtering
- Security Profile: Zone Protection
-
- Policy Object: Address Groups
- Policy Object: Regions
- Policy Object: Traffic Objects
- Policy Object: Applications
- Policy Object: Application Groups
- Policy Object: Application Filter
- Policy Object: Services
- Policy Object: Auto-Tag Actions
- Policy Object: Devices
-
- Uses for External Dynamic Lists in Policy
- Formatting Guidelines for an External Dynamic List
- Built-in External Dynamic Lists
- Configure Your Environment to Access an External Dynamic List
- Configure your Environment to Access an External Dynamic List from the EDL Hosting Service
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Policy Object: HIP Objects
- Policy Object: Schedules
- Policy Object: Quarantine Device Lists
- Policy Object: Dynamic User Groups
- Policy Object: Custom Objects
- Policy Object: Log Forwarding
- Policy Object: Authentication
- Policy Object: Decryption Profile
- Policy Object: Packet Broker Profile
-
-
-
- The Quantum Computing Threat
- How RFC 8784 Resists Quantum Computing Threats
- How RFC 9242 and RFC 9370 Resist Quantum Computing Threats
- Support for Post-Quantum Features
- Post-Quantum Migration Planning and Preparation
- Best Practices for Resisting Post-Quantum Attacks
- Learn More About Post-Quantum Security
-
-
-
- Investigate Reasons for Decryption Failure
- Identify Weak Protocols and Cipher Suites
- Troubleshoot Version Errors
- Troubleshoot Unsupported Cipher Suites
- Identify Untrusted CA Certificates
- Repair Incomplete Certificate Chains
- Troubleshoot Pinned Certificates
- Troubleshoot Expired Certificates
- Troubleshoot Revoked Certificates
Plan Your Decryption Deployment
Proper preparation makes deploying decryption easier and smoother because everyone
from IT to executives to the user base is educated and ready for the changes.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
No separate license required for decryption when using NGFWs or
Prisma Access.
Note: The features and capabilities available to you in
Strata Cloud Manager depend on your active license(s).
|
The most time-consuming part of deploying decryption isn’t configuring decryption policy
rules or decryption profiles. It is the preparation—working with stakeholders to decide
what traffic to decrypt, educating users about changes to website access, developing a
public key infrastructure (PKI) strategy, sizing your Next-Generation Firewall (NGFW) deployment, and planning each phase of the decryption rollout.
Start by setting clear goals for your decryption deployment. You can evaluate each
planning and implementation phase against these goals. Ensure coordination between the
teams involved in implementation and affected users. Review the Decryption Planning Best Practices checklist,
and integrate best practices as much as you can. The best practice goal is to decrypt as
much traffic as your NGFW resources permit, prioritizing the most
important traffic. In industries like healthcare or finance, this goal should take into
account regulatory requirements.
Migrate from port-based to application-based Security policy rules before creating and
deploying decryption policy rules. If you create decryption policy rules based on
port-based Security policy rules and then migrate to application-based Security
policy rules, the change could cause the decryption policy rules to block traffic
that you intend to allow because Security policy rules are likely to use application
default ports to prevent application traffic from using nonstandard ports.
For example, traffic identified as web-browsing (default port 80) may have underlying
applications with different default ports, such as HTTPS traffic (default port 443).
The application-default rule blocks the HTTPS traffic because the decrypted traffic
uses a nonstandard port (443 instead of 80). Migrating to App-ID based policy rules
before deploying decryption means that during proof of concept testing, you’ll
discover Security policy rule misconfigurations, and you can fix these issues before
rolling it out to the general user population.
To plan and implement a decryption deployment that minimizes risks, maximizes security
benefits, and accounts for business and legal requirements:
- Develop a decryption strategy. Define clear objectives and what a successful deployment looks like. Collaborate with stakeholders from legal, finance, HR, security, and IT teams. Identify the traffic you want to prioritize for decryption. Consider traffic you may need to exclude from decryption for technical, legal, or other reasons. Consider if you need to create separate decryption policy rules or decryption profiles to handle traffic to and from various user groups, devices, or applications.
- Plan your PKI rollout. Proper certificate management and handling of user traffic is critical in the decryption planning process. Consider which certificates you need and how to generate them. Will you use an enterprise CA or a self-signed root CA certificate? Think about edge cases, such as guest users or personal devices on your network. Ensure network devices have valid certificates.
- Size your NGFW to account for current and future needs. Decryption can be resource-intensive. The amount of decryption an NGFW can support depends on various factors, including volume of SSL traffic, TLS versions, cipher suites, and authentication methods. Work with Palo Alto Networks representations to properly size deployments to meet your requirements. Make sure your NGFW deployment can meet performance expectations when decrypting at work.
- Deploy decryption in phases. Plan each phase, including the education of stakeholders and proof of concepts. Evaluate user experiences, generate decryption reports, and verify effectiveness at each stage. Refine decryption policy rules and profiles as needed.If enabling SSL/TLS decryption, use the Get Started with SSL Decryption resource as a guide for an initial deployment. This topic includes steps for:
- creating a no-decryption policy rule to understand the websites and applications end users access
- creating a low-risk proof of concept
- using decryption logs to identify and mitigate issues
Familiarize yourself with SSL decryption and use the insights from each step to turn a proof of concept into a deployment aligned with business and other considerations.