Decryption
Table of Contents
Decryption
Turn on decryption to
stop threats hidden in encrypted traffic.
Go
to to:
- Enable a best practice decryption policy in three steps.We’ve made it easy for you to get started. All you need to do is import certificates for Prisma Access to use to act as a trusted third-party to a session. For everything else, we’ve built in default best practice settings (including decryption exceptions) that you can use to get up and running.
- Exclude sensitive content from decryption, as well as sites that don’t work well when decrypted.You can adjust the list of sites that are known to break with decryption (this list is excluded from decryption by default), add your own custom exclusions, and use URL categories to exclude content from decryption.
- Apply security checks—including certificate, protocol, and cipher suite validation—to decrypted traffic butalsoto traffic you are not decrypting.
- Apply some decryption settings globally—to all your Prisma Access locations—and target other settings to specific mobile user locations, remote network sites, and service connections.
Get started
- Decide on the location (global or a specific deployment) where you want to enable a decryption policy rule.Select the location where you want to enable decryption—globally for all Prisma Access, mobile users locations, remote network sites, or service connections—and then open the decryption policy for that location:
- Import theDecryption Certificatesthat Prisma access uses to act as a trusted third-party to a session.When a site certificate is signed by a well-known, trusted certificate authority, Prisma Access uses the forward trust certificate to establish a secure session. When a site certificate isnotsigned by a trusted certificate authority, Prisma Access uses the forward untrust certificate and warns users that they are attempting to access an untrusted site.
- Enable the default decryption policy rules.
- Globally, for all Prisma Access locations:
- For specific mobile user locations, remote network sites, and service connections:
Decryption tips
- Use the best practice policy rules as a starting point to build your decryption policyThese rules—one that decrypts traffic and one that excludes sensitive content from decryption—are built based on URL categories.
- Exclude sensitive content from decryptionExclude sensitive content from decryption for business, legal, or regulatory reasons.
- Predefined Decryption Exclusions—Palo Alto Networks maintains this list of exclusions and updates it regularly. This list applied globally and by default to all traffic you specify for decryption. You can disable list entries if that fits with your business needs.
- Custom Exclusions—Globally exclude sites or applications from decryption.
- Policy-based exclusions—Use URL categories and external dynamic lists to create targeted, policy-based decryption rules. Set a decryption policy rule action tono-decryptto exclude matching traffic from decryption.
Always place decryption exclusions at the top of your policy rules, so that they are applied first. - Consider that you can apply some decryption settings globally, and target others to specific locations
- Your Prisma Access decryption policy is applied globally to all Prisma Access locations.
- Navigate to the decryption policy for each location type to create policy rules that are targeted to specific mobile user locations, remote network sites, or service connections
- Rule order mattersDecryption policy rules are applied from the top down. Place the rules you want enforced first at the top of your list of decryption policy rules. Global rules (pre-rules) are applied first and are always listed ahead of rules that are specific to mobile users, remote networks, and service connections.