Create a Decryption Policy Rule
Focus
Focus

Create a Decryption Policy Rule

Table of Contents

Create a Decryption Policy Rule

Decryption policy rules granularly define the traffic to decrypt or not to decrypt based on the source, destination, service (application port), and URL category.
Create a Decryption policy rule to define traffic for the firewall to decrypt and the type of decryption you want the firewall to perform: SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy decryption. You can also use a Decryption policy rule to define Decryption Mirroring.
Before you create a Decryption policy rule, make sure you understand that the set of IPv4 addresses is treated as a subset of the set of IPv6 addresses, as described in detail in Policy.
  1. Add a new Decryption policy rule.
    Select
    Policies
    Decryption
    ,
    Add
    a new Decryption policy rule, and give the policy rule a descriptive
    Name
    .
  2. Configure the decryption rule to match to traffic based on network and policy objects:
    • Firewall security zones
      —Select
      Source
      and/or
      Destination
      and match to traffic based on the
      Source Zone
      and/or the
      Destination Zone
      .
    • IP addresses, address objects, and/or address groups
      —Select
      Source
      and/or
      Destination
      to match to traffic based on
      Source Address
      and/or the
      Destination Address
      . Alternatively, select
      Negate
      to exclude the source address list from decryption.
    • Users
      —Select
      Source
      and set the
      Source User
      for whom to decrypt traffic. You can decrypt specific user or group traffic, or decrypt traffic for certain types of users, such as unknown users or pre-logon users (users that are connected to GlobalProtect but are not yet logged in).
    • Ports and protocols
      —Select
      Service/URL Category
      to set the rule to match to traffic based on service. By default, the policy rule is set to decrypt
      Any
      traffic on TCP and UDP ports. You can
      Add
      a service or a service group, and optionally set the rule to
      application-default
      to match to applications only on the application default ports.
    The application-default setting can be useful when you create a policy-based decryption exclusion. You can exclude applications running on their default ports from decryption, while continuing to decrypt the same applications when they are detected on non-standard ports.
    • URLs and URL categories
      —Select Service/URL Category and decrypt traffic based on:
      • An externally-hosted list of URLs that the firewall retrieves for policy-enforcement (see
        Objects
        External Dynamic Lists
        ).
      • Palo Alto Networks predefined URL categories, which make it easy to decrypt entire categories of allowed traffic. This option is also useful when you create policy-based decryption exclusions because you can exclude sensitive sites by category instead of individually. For example, although you can create a custom URL category to group sites that you do not want to decrypt, you can also exclude financial or healthcare-related sites from decryption based on the predefined Palo Alto Networks URL categories. In addition, you can block risky URL categories and create comfort pages to communicate the reason the sites are blocked or enable users to opt out of SSL decryption.
        You can use the predefined high-risk and medium-risk URL categories to create a Decryption policy rule that decrypts all high-risk and medium-risk URL traffic. Place the rule at the bottom of the rulebase (all decryption exceptions must be above this rule so that you don’t decrypt sensitive information) as a safety net to ensure that you decrypt and inspect all risky traffic. However, if high-risk or medium-risk sites to which you allow access contain personally identifiable information (PII) or other sensitive information that you don’t want to decrypt, either block those sites to avoid allowing encrypted risky traffic while also avoiding privacy issues, or create a No Decryption rule to handle the sensitive traffic.
      • Custom URL categories (see
        Objects
        Custom Objects
        URL Category
        ). For example, you can create a custom URL category to specify a group of sites you need to access for business purposes but that don’t support the safest protocols and algorithms, and then apply a customized Decryption profile to allow the looser protocols and algorithms for just those sites (that way, you don’t decrease security by downgrading the Decryption profile you use for most sites).
  3. Set the rule to either decrypt matching traffic or to exclude matching traffic from decryption.
    Select
    Options
    and set the policy rule
    Action
    :
    To decrypt matching traffic:
    1. Set the
      Action
      to
      Decrypt
      .
    2. Set the
      Type
      of decryption for the firewall to perform on matching traffic:
      • SSL Inbound Inspection. Then,
        Add
        one or more
        Certificates
        for the destination internal server of the inbound SSL traffic. SSL Inbound Inspection policy rules support a maximum of 12 certificates.
        You can configure a Decryption policy rule to decrypt SSL/TLS traffic bound for an internal server that hosts multiple domains, each domain with its own certificate. The firewall negotiates SSL/TLS connections using the certificate in your policy rule that matches the one the server presents for the requested URL.
        To update certificates for protected internal servers without incurring downtime, renew or obtain a new server certificate before it expires or otherwise becomes invalid. Then, import the certificate and private key onto your firewall and add it to an SSL Inbound Inspection policy rule before installing the same certificate onto your web server. Updating your policy rule with a new certificate while another is active on your web server prepares the firewall to decrypt traffic to the server regardless of the certificate in use. Configure SSL Inbound Inspection describes this process further.
        (
        Panorama
        ) Support for multiple certificates in SSL Inbound Inspection policy rules is unavailable in PAN-OS
        ®
        versions earlier than PAN-OS 10.2. If you push a SSL Inbound Inspection policy rule with multiple certificates from a Panorama management server running PAN-OS 10.2 to a firewall running an earlier version, the policy rule on the managed firewall inherits only the first certificate from the alphabetically-sorted list of certificates.
        Before pushing your Decryption policy rule from Panorama, we recommend you set up different templates or device groups for firewalls running PAN-OS 10.1 and earlier to ensure you push the correct policy rule and certificate to the appropriate firewalls.
    To exclude matching traffic from decryption:
    Set the
    Action
    to
    No Decrypt
    .
  4. (
    Optional
    ) Select a
    Decryption Profile
    to perform additional checks on traffic that matches the policy rule.
    Although applying a Decryption profile to decrypted traffic is optional, it is a best practice to always apply a Decryption profile to the policy rules to protect your network against encrypted threats. You can’t protect yourself against threats you can’t see.
    For example, attach a Decryption profile to a policy rule to ensure that server certificates are valid and to block sessions using unsupported protocols or ciphers. To create a Decryption profile, select
    Objects
    Decryption Profile
    .
    1. Create a Decryption policy rule or open an existing rule to modify it.
    2. Select
      Options
      and select a
      Decryption Profile
      to block and control various aspects of the traffic matched to the rule.
      The profile rule settings the firewall applies to matching traffic depends on the policy rule
      Action
      (Decrypt or No Decrypt) and the policy rule
      Type
      (SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy). This allows you to use the different Decryption profiles with different types of Decryption policy rules that apply to different types of traffic and users.
    3. Click
      OK
      .
  5. Configure Decryption logging (configure whether to log both successful and unsuccessful TLS handshakes and configure Decryption log forwarding).
  6. Click
    OK
    to save the policy.
  7. Choose your next step to fully enable the firewall to decrypt traffic...

Recommended For You