Decryption Profiles
Focus
Focus
Network Security

Decryption Profiles

Table of Contents

Decryption Profiles

Decryption profiles control SSL/TLS and SSH connection settings, such as protocol versions, server certificate, and other checks for traffic matching decryption rules.
Where Can I Use This?What Do I Need?
  • NGFW
  • Prisma Access
No requirements.
Decryption profiles enable you to perform certificate verification checks, session mode checks, failure checks, and protocol and algorithm checks on SSL/TLS and SSH traffic that you decrypt or exclude from decryption. These checks prevent risky connections, such as sessions with certificate issues, weak protocols, or weak algorithms. The NGFW enforces the profile settings on traffic matching the conditions of a decryption policy rule. After you create a decryption profile, associate it with a decryption policy rule to activate the profile settings.
You can create decryption profiles to:
  • Define the protocol versions and key exchange, encryption, and authentication algorithms allowed for SSL Forward Proxy and SSL Inbound Inspection traffic
  • Block sessions based on certificate status, including blocking sessions with expired certificates, untrusted issuers, unknown certificate status, certificate status check timeouts, and certificate extensions
  • Block sessions with unsupported versions or cipher suites or that require using client authentication
  • Block sessions if the resources to perform decryption are not available or if a hardware security module (HSM) is not available to sign certificates
The settings available in a profile differ based on the type of profile you create. For example, some unsupported mode check settings are not available in different profiles.
You can create distinct decryption profiles for SSL Forward Proxy, SSL Inbound Inspection, and SSH Proxy. You can even associate
no-decryption profiles
with no-decryption policy rules controlling traffic that you choose not to decrypt because the traffic is personal, sensitive, or subject to local laws and regulations. For example, you might not decrypt the traffic of certain executives or traffic between finance users and finance servers that contain personal information.
Avoid excluding traffic that breaks decryption for technical reasons such as a pinned certificate or mutual authentication by policy. Instead, add the hostname to the Decryption Exclusion List.
  • Apply a
    no-decryption profile
    to decryption policy rules for undecrypted traffic to block sessions with expired certificates and untrusted issuers.
  • Enable the tighter decryption controls described in the following sections:
    Decryption Profile: SSL Decryption
    ,
    Decryption Profile: No Decryption
    , and
    Decryption Profile: SSH Proxy
    .
You can also use the default decryption profile, which enforces the basic recommended protocol versions and cipher suites for decrypted traffic.
If you must allow any categories that we suggest you block for business reasons, decrypt them and apply strict security profiles to the traffic.
Don’t weaken the main decryption profile that you apply to most sites to accommodate weaker sites. Instead, create one or more separate decryption profiles for sites that you need to support but that don’t support strong ciphers and algorithms. You can also create different decryption profiles for different URL categories to fine-tune security versus performance for traffic that contains no sensitive material; however, you should always decrypt and inspect all the traffic you can.

Summary of Decryption Profile Settings

The settings available in a profile differ based on the type of profile you create. For example, some unsupported mode check settings are not available in different profiles.
    Expand all
    Collapse all
  • Unsupported mode checks Blocking these sessions protects you from servers that use weak, risky protocol versions and algorithms. If you don’t block sessions with unsupported modes, users receive a warning message if they connect with potentially unsafe servers. They can click through the warning to access the potentially dangerous site.
    Expand all
    Collapse all
  • Failure Checks
    Expand all
    Collapse all
  • Server Certificate Verification
The following table lists the profile types and the settings that they apply to.

Profile Settings and Profile Types Matrix

SettingsProfile Types
SSL Forward ProxySSL Inbound InspectionSSH ProxyNo Decryption
Server Certificate VerificationBlock sessions with expired certificatesYesNoNoYes
Block sessions with untrusted issuersYesNoNoYes
Block sessions with unknown certificate statusYesNoNoNo
Block sessions on SNI mismatch with Server Certificate (SAN/CN) YesNoNoNo
Block sessions on certificate status check timeoutYesNoNoNo
Restrict certificate extensionsYesNoNoNo
Append certificate’s CN value to SAN extensionYesNoNoNo
Unsupported Mode ChecksBlock sessions with unsupported versionsYesYesYesNo
Block sessions with unsupported cipher suitesYesYesYesNo
Block sessions with unsupported algorithmsNoNoYesNo
Block sessions with client authenticationYesNoNoNo
Failure ChecksBlock sessions if resources not availableYesYesYesNo
Block sessions if HSM not availableYesYesNoNo
Block downgrade on no resourceYesYesNoNo
Block sessions on SSH errorsNoNoYesNo

Decryption Profile: SSL Decryption

The SSL Decryption tab manages profiles for SSL Forward Proxy and SSL Inbound Inspection and the SSL Protocol Settings (Protocol Versions, Key Exchange Algorithms, Encryption Algorithms, and Authentication Algorithms), which apply to both profile types. There are settings for Server Certificate Verification, Unsupported Mode Checks, Failure Checks, and Client Extensions. SSL Forward Proxy and SSL Inbound Inspection share some settings, but only the SSL Forward Proxy profile has options for server certificate verification.
You may need to allow traffic on your network from sites that use client authentication and are not in the predefined sites on the SSL decryption exclusion list. Create a decryption profile that allows sessions with client authentication. Add it to a decryption policy rule that applies only to the servers that host the application. To increase security even more, you can require multi-factor authentication to complete the user login process.
The following concepts summarize the profile settings and recommendations for each profile type: SSL Forward Proxy and SSL Inbound Inspection, No decryption, and SSH Proxy. Select a profile type to learn more about the unique settings and recommendations offered.
  • SSL Forward Proxy
  • SSL Inbound Inspection
  • SSL Protocol Settings

SSL Forward Proxy

The SSL Forward Proxy decryption profile controls server verification, session mode checks, and failure checks for outbound SSL and TLS traffic defined in the Forward Proxy decryption policy rules to which you attach the profile.
SSL Forward Proxy can't decrypt some sessions, such as sessions with client authentication or pinned certificates because the NGFW is a proxy device. Being a proxy also means that the NGFW does not support high availability (HA) sync for decrypted SSL sessions.
The following figure shows the general best practice recommendations for SSL Forward Proxy decryption profiles, but the settings you use also depend on your company’s security compliance rules and local laws and regulations. There are also specific best practices for perimeter internet gateway decryption profiles and for data center decryption profiles.

SSL Inbound Inspection

The SSL Inbound Inspection decryption profile controls the session mode checks and failure checks for inbound SSL/TLS traffic defined in the Inbound Inspection decryption policy rules to which you attach the profile. The following figure shows the general best practice recommendations for Inbound Inspection decryption profiles, but the settings you use also depend on your company’s security compliance rules and local laws and regulations.
SSL Inbound Inspection can't decrypt some sessions, such as sessions with client authentication or pinned certificates, because the NGFW is a proxy device. Being a proxy also means that the NGFW does not support high availability (HA) sync for decrypted SSL sessions.

SSL Protocol Settings

The SSL Protocol Settings tab controls the cipher suites—the protocol versions, key exchange algorithms, encryption algorithms, and authentication algorithms–used for SSL Forward Proxy and SSL Inbound Inspection traffic. You can decide whether to allow vulnerable or weak SSL/TLS protocol versions, encryption algorithms, and authentication algorithms. SSL Protocol Settings apply to outbound SSL Forward Proxy traffic and inbound SSL Inbound Inspection traffic. These settings don’t apply to SSH Proxy traffic or to traffic that you don’t decrypt.
Protocol Versions: Specify the minimum and maximum TLS versions that you'd like to support for decryption.
  • Set the Min Version to TLSv1.3 to provide the strongest security. Business sites that value security support TLSv1.3. If a site (or a category of sites) only supports weaker ciphers, review the site and determine if it hosts a legitimate business application. If it does, make an exception for only that site by configuring a decryption profile with a Min Version that matches the strongest cipher the site supports and then applying the profile to a decryption policy rule that limits allowing the weak cipher to only the site or sites in question. If the site doesn’t host a legitimate business application, don’t weaken your security posture to support the site. Weak protocols (and ciphers) contain known vulnerabilities that attackers can exploit.
    If the site belongs to a category of sites that you don’t need for business purposes, use URL filtering to block access to the entire category. Don’t support weak encryption or authentication algorithms unless you must support important legacy sites, and when you make exceptions, create a separate decryption profile that allows the weaker protocol just for those sites. Don’t downgrade the main decryption profile that you apply to most sites to TLSv1.1 just to accommodate a few exceptions.
    Qualys SSL Labs SSL Pulse web page provides up-to-date statistics on the percentages of different ciphers and protocols in use on the 150,000 most popular sites in the world so you can see trends and understand how widespread worldwide support is for more secure ciphers and protocols.
  • Set the Max Version to Max rather than to a particular version so that as the protocols improve, the NGFW or Prisma Access automatically supports the newest and best protocols. Whether you intend to attach a decryption profile to a decryption policy rule that governs inbound (SSL Inbound Inspection) or outbound (SSL Forward Proxy) traffic, avoid allowing weak algorithms.
    If your decryption policy supports mobile applications, many of which use pinned certificates, set the Max Version to TLSv1.2. Because TLSv1.3 encrypts certificate information that wasn’t encrypted in previous TLS versions, the NGFW can’t automatically add decryption exclusions based on certificate information, which affects some mobile applications. Therefore, if you enable TLSv1.3, the NGFW may drop some mobile application traffic unless you create a no-decryption policy rule for that traffic.
    If you know the mobile applications you use for business, consider creating a separate decryption policy rule and profile for those applications so that you can enable TLSv1.3 for all other application traffic.
The following figure shows the general best practice recommendations for SSL Protocol Settings. There are also specific best practices for perimeter internet gateway decryption profiles and for data center decryption profiles.
When you configure SSL Protocol Settings for SSL Inbound Inspection traffic, create separate profiles for servers with different security capabilities. For example, if one set of servers supports only RSA, the SSL Protocol Settings only need to support RSA. However, the SSL Protocol Settings for servers that support PFS should support PFS. Configure SSL Protocol Settings for the highest level of security that the target server you're protecting supports, but check performance to ensure that the NGFW and Prisma Access resources can handle the higher processing load that higher security protocols and algorithms require.
Key Exchange Algorithms:
Leave all three boxes checked (default) to support both RSA and Perfect Forward Secrecy (PFS) (DHE and ECDHE) key exchanges unless the minimum version is set to TLSv1.3, which only supports ECDHE.
To support HTTP/2 traffic, leave the ECDHE box checked.
Encryption Algorithms:
  • When you set the minimum protocol version to TLSv1.2, the older, weaker 3DES and RC4 algorithms are automatically unchecked (blocked).
  • When you set the minimum protocol version to TLSv1.3, the 3DES, RC4, AES128-CBC, and AES256-CBC algorithms are automatically blocked.
For any traffic for which you must allow a weaker TLS protocol, create a separate decryption profile and apply it only to traffic for that site, and deselect the appropriate boxes to allow the algorithm. Allowing traffic that uses the 3DES or RC4 algorithms exposes your network to excessive risk. If blocking 3DES or RC4 prevents you from accessing a site that you must use for business, create a separate decryption profile and policy rule for that site. Don’t weaken decryption for any other sites.
Authentication Algorithms: The NGFW automatically blocks the older, weaker MD5 algorithm. When TLSv1.3 is the minimum version, the NGFW also blocks SHA1. Don’t allow MD5 authenticated traffic on your network; SHA1 is the weakest authentication algorithm you should allow. If no necessary sites use SHA1, block SHA1 traffic to further reduce the attack surface.

Decryption Profile: No Decryption

No-decryption profiles perform server verification checks for traffic that you choose not to decrypt for legal, compliance, personal, or other reasons. Attach a no-decrypt profile to a no-decrypt decryption policy rule that defines the traffic you want to exclude from decryption.
Don’t create policy rules to exclude traffic that you can’t decrypt because a site breaks decryption for technical reasons such as a pinned certificate or mutual authentication. Instead, add the hostname to the SSL decryption exclusion list.
The following figure shows the general best practice recommendations for a no-decrypt profile, but the settings you use also depend on your company’s security compliance rules and local laws and regulations.
Don’t attach a no-decryption profile to decryption policy rules for TLSv1.3 traffic that you don’t decrypt. Unlike previous versions, TLSv1.3 encrypts certificate information, so the NGFW has no visibility into certificate data and therefore can't block sessions with expired certificates or untrusted issuers, so the profile has no effect. (The NGFW can perform certificate checks with TLSv1.2 and earlier because those protocols don’t encrypt certificate information and you should apply a no-decryption profile to their traffic.)
However, you should create a decryption policy rule for TLSv1.3 traffic that you don’t decrypt because the NGFW does not log undecrypted traffic unless a decryption policy rule controls that traffic.
(Applies to TLSv1.2 and earlier) If you choose to allow sessions with untrusted issuers (not recommended) and only Block sessions with expired certificates, there is a scenario in which a session with a trusted, expired issuer may be blocked inadvertently. When the NGFW certificate store contains a valid, self-signed trusted CA and the server sends an expired CA in the certificate chain, the NGFW does not check its certificate store. Instead, it blocks the session based on the expired CA when it should find the trusted, valid alternative trust anchor and allow the session based on that trusted self-signed certificate.
To avoid this scenario, select Block sessions with untrusted issuers in addition to Block sessions with expired certificates. This forces the NGFW to check its certificate store, find the self-signed trusted CA, and allow the session.

Decryption Profile: SSH Proxy

The SSH Proxy decryption profile controls the session mode checks and failure checks for SSH traffic defined in the SSH Proxy decryption policy rules to which you attach the profile. The following figure shows the general best practice recommendations for SSH Proxy decryption profiles, but the settings you use also depend on your company’s security compliance rules and local laws and regulations.
NGFWs don’t perform content and threat inspection on SSH tunnels (port forwarding). However, they distinguish between the SSH application and the SSH-tunnel application. If the NGFW identifies SSH tunnels, it blocks the tunneled traffic and restricts the traffic according to configured Security policy rules.