Turn on decryption to
stop threats hidden in encrypted traffic.
Go
to
Manage
Configuration
Security Services
Decryption
to:
Enable a best practice decryption
policy in three steps.
We’ve made it easy for you to get started.
All you need to do is import certificates for Prisma Access to use
to act as a trusted third-party to a session. For everything else,
we’ve built in default best practice settings (including decryption
exceptions) that you can use to get up and running.
Exclude sensitive content from decryption, as well as sites
that don’t work well when decrypted.
You can adjust the list
of sites that are known to break with decryption (this list is excluded
from decryption by default), add your own custom exclusions, and
use URL categories to exclude content from decryption.
Apply security checks—including certificate, protocol, and
cipher suite validation—to decrypted traffic but
also
to
traffic you are not decrypting.
Apply some decryption settings globally—to all your Prisma
Access locations—and target other settings to specific mobile user
locations, remote network sites, and service connections.
Get started
Decide on the location (global or a
specific deployment) where you want to enable a decryption policy
rule.
Select the location where you want to enable decryption—globally
for all Prisma Access, mobile users locations, remote network sites,
or service connections—and then open the decryption policy for that
location:
Import the
Decryption Certificates
that Prisma
access uses to act as a trusted third-party to a session.
When a site certificate is signed by a well-known, trusted
certificate authority, Prisma Access uses the forward trust certificate
to establish a secure session. When a site certificate is
not
signed
by a trusted certificate authority, Prisma Access uses the forward
untrust certificate and warns users that they are attempting to
access an untrusted site.
Enable the default decryption policy rules.
Globally, for all Prisma Access locations:
For specific mobile user locations, remote network sites,
and service connections:
Decryption tips
Use the
best practice policy rules as a starting point to build your decryption
policy
These rules—one that decrypts traffic and one that
excludes sensitive content from decryption—are built based on URL
categories.
Exclude sensitive content from decryption
Exclude
sensitive content from decryption for business, legal, or regulatory reasons.
Predefined Decryption Exclusions—Palo Alto Networks maintains
this list of exclusions and updates it regularly. This list applied globally
and by default to all traffic you specify for decryption. You can disable
list entries if that fits with your business needs.
Custom Exclusions—Globally exclude sites or applications
from decryption.
Policy-based exclusions—Use URL categories and external dynamic
lists to create targeted, policy-based decryption rules. Set a decryption
policy rule action to
no-decrypt
to exclude matching
traffic from decryption.
Always place decryption
exclusions at the top of your policy rules, so that they are applied
first.
Consider that you can apply some decryption settings globally,
and target others to specific locations
Your Prisma
Access decryption policy is applied globally to all Prisma Access
locations.
Manage
Prisma Access
Security Services
Decryption
Navigate to the decryption policy for each location type
to create policy rules that are targeted to specific mobile user
locations, remote network sites, or service connections
Manage
Mobile Users / Remote Networks
/ Service Connections > Security Services > Decryption
Rule order matters
Decryption policy rules are
applied from the top down. Place the rules you want enforced first
at the top of your list of decryption policy rules. Global rules (pre-rules)
are applied first and are always listed ahead of rules that are
specific to mobile users, remote networks, and service connections.