Manage: Decryption
Focus
Focus
Strata Cloud Manager

Manage: Decryption

Table of Contents

Manage: Decryption

How to use Strata Cloud Manager to configure and manage decryption for NGFWs and Prisma Access.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • NGFW, including those funded by Software NGFW Credits
Each of these licenses include access to Strata Cloud Manager:
→ The features and capabilities available to you in Strata Cloud Manager depend on which license(s) you are using.
Enable Decryption to stop threats hidden in encrypted traffic. All you need to do to get started is import your decryption certificates — for everything else, we've built in best practices settings that you can use to get up and running.
Learn more about decrypting traffic here.
Go to ManageConfigurationNGFW and Prisma AccessSecurity ServicesDecryption.

Decryption Overview

The Secure Sockets Layer (SSL) and Secure Shell (SSH) encryption protocols secure traffic between two entities, such as a web server and a client. SSL and SSH encapsulate traffic, encrypting data so that it is meaningless to entities other than the client and server with the certificates to affirm trust between the devices and the keys to decode the data. Decrypt SSL and SSH traffic to:
  • Prevent malware concealed as encrypted traffic from being introduced into your network. For example, an attacker compromises a website that uses SSL encryption. Employees visit that website and unknowingly download an exploit or malware. The malware then uses the infected employee endpoint to move laterally through the network and compromise other systems.
  • Prevent sensitive information from moving outside the network.
  • Ensure the appropriate applications are running on a secure network.
  • Selectively decrypt traffic; for example, create a Decryption policy and profile to exclude traffic for financial or healthcare sites from decryption.
SSH Proxy decryption is not supported in Strata Cloud Manager.

Decryption Policies

Strata Cloud Manager provides two types of Decryption policy rules: SSL Forward Proxy to control outbound SSL traffic and SSL Inbound Inspection to control inbound SSL traffic.
SSL Forward Proxy
When you configure the firewall to decrypt SSL traffic going to external sites, it functions as an SSL forward proxy. Use an SSL Forward Proxy decryption policy to decrypt and inspect SSL/TLS traffic from internal users to the web. SSL Forward Proxy decryption prevents malware concealed as SSL encrypted traffic from being introduced into your corporate network by decrypting the traffic so that the firewall can apply decryption profiles and security policies and profiles to the traffic.
SSL Inbound Inspection
Use SSL Inbound Inspection to decrypt and inspect inbound SSL/TLS traffic from a client to a targeted network server (any server you have the certificate for and can import onto the firewall) and block suspicious sessions. For example, suppose a malicious actor wants to exploit a known vulnerability in your web server. Inbound SSL/TLS decryption provides visibility into the traffic, allowing the firewall to respond to the threat proactively.

Decryption Profiles

You can attach a Decryption profile to a policy rule to apply granular access settings to traffic, such as checks for server certificates, unsupported modes, and failures.
SSL Forward Proxy Profiles
The SSL Forward Proxy Decryption profile controls the server verification, session mode checks, and failure checks for outbound SSL/TLS traffic defined in Forward Proxy Decryption policies to which you attach the profile.
SSL Inbound Inspection Profiles
The SSL Inbound Inspection Decryption profile controls the session mode checks and failure checks for inbound SSL/TLS traffic defined in the Inbound Inspection Decryption policies to which you attach the profile.
Profile for No Decryption
No Decryption profiles perform server verification checks for traffic that you choose not to decrypt. You attach a No Decryption profile to a “No Decryption” Decryption policy that defines the traffic to exclude from decryption. (Don’t use policy to exclude traffic that you can’t decrypt because a site breaks decryption for technical reasons such as a pinned certificate or mutual authentication. Instead, add the hostname to the Decryption Exclusion List.)

Decryption Tips

  • Use the best practice policy rules as a starting point to build your decryption policy
    These rules—one that decrypts traffic and one that excludes sensitive content from decryption—are built based on URL categories.
  • Exclude sensitive content from decryption
    Exclude sensitive content from decryption for business, legal, or regulatory reasons.
    • Predefined Decryption Exclusions—Palo Alto Networks maintains this list of exclusions and updates it regularly. This list applied globally and by default to all traffic you specify for decryption. You can disable list entries if that fits with your business needs.
    • Custom Exclusions—Globally exclude sites or applications from decryption.
    • Policy-based exclusions—Use URL categories and external dynamic lists to create targeted, policy-based decryption rules. Set a decryption policy rule action to no-decrypt to exclude matching traffic from decryption.
    Always place decryption exclusions at the top of your policy rules, so that they are applied first.
  • Consider that you can apply some decryption settings globally, and target others to specific locations
    • Your Strata Cloud Manager decryption policy is applied globally to all NGFWs and Prisma Access locations.
      ManageConfigurationNGFW and Prisma AccessSecurity ServicesDecryption
    • Navigate to the decryption policy for each type to create policy rules that are targeted to specific firewalls, mobile user locations, remote network sites, or service connections
      ManageConfigurationNGFW and Prisma AccessConfiguration Scope Global / Firewalls / Mobile Users / Remote Networks / Service Connections
  • Rule order matters
    Decryption policy rules are applied from the top down. Place the rules you want enforced first at the top of your list of decryption policy rules. Global rules (pre-rules) are applied first and are always listed ahead of rules that are specific to mobile users, remote networks, and service connections.

Decryption at a Glance

The Decryption screen is the place to configure Decryption Policies and Profiles and view your Best Practice Assessments.
A) Rulebase—Rulebase checks look at how security policy is organized and managed, including configuration settings that apply across many rules.
B) Best Practices—Here you can get a comprehensive view into how your implementation of feature aligns with best practices. Examine failed checks to see where you can make improvements (you can also review passed checks).
C) Best Practice Assessment—Best practice scores are displayed on the decryption dashboard. These scores gives you a quick view into your best practice progress. At a glance, you can identify areas for further investigation or where you want to take action to improve your security posture.
D) Decryption Policies—List of onboarded decryption policies. Review the policy configuration, policy type (SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy), policy action (decrypt or no-decrypt), and BPA Verdict.
E) Add Rule—Add and configure new decryption policies.
F) Decryption Settings—Access certificate and decryption settings. Import and export certificates.
G) Add Profile—Add and configure new decryption profiles.
H) Global Decryption Exclusions—Applications excluded from decryption.
I) Decryption Profiles—List of onboarded decryption profiles. Review the profile configuration, policies using the profile, and the BPA Verdict.