Proper preparation makes deploying decryption easier and smoother because everyone
from IT to executives to the user base is educated and ready for the changes.
No separate license required for decryption when using NGFWs or
Prisma Access.
Note: The features and capabilities available to you in
Strata Cloud Manager depend on your active license(s).
The most time-consuming part of deploying decryption isn’t configuring decryption policy
rules or decryption profiles. It is the preparation—working with stakeholders to decide
what traffic to decrypt, educating users about changes to website access, developing a
public key infrastructure (PKI) strategy, sizing your Next-Generation Firewall (NGFW) deployment, and planning each phase of the decryption rollout.
Start by setting clear goals for your decryption deployment. You can evaluate each
planning and implementation phase against these goals. Ensure coordination between the
teams involved in implementation and affected users. Review the Decryption Planning Best Practices checklist,
and integrate best practices as much as you can. The best practice goal is to decrypt as
much traffic as your NGFW resources permit, prioritizing the most
important traffic. In industries like healthcare or finance, this goal should take into
account regulatory requirements.
Migrate from port-based to application-based Security policy rules before creating and
deploying decryption policy rules. If you create decryption policy rules based on
port-based Security policy rules and then migrate to application-based Security
policy rules, the change could cause the decryption policy rules to block traffic
that you intend to allow because Security policy rules are likely to use application
default ports to prevent application traffic from using nonstandard ports.
For example, traffic identified as web-browsing (default port 80) may have underlying
applications with different default ports, such as HTTPS traffic (default port 443).
The application-default rule blocks the HTTPS traffic because the decrypted traffic
uses a nonstandard port (443 instead of 80). Migrating to App-ID based policy rules
before deploying decryption means that during proof of concept testing, you’ll
discover Security policy rule misconfigurations, and you can fix these issues before
rolling it out to the general user population.
To plan and implement a decryption deployment that minimizes risks, maximizes security
benefits, and accounts for business and legal requirements:
Develop a decryption strategy. Define clear objectives and what a successful
deployment looks like. Collaborate with stakeholders from legal, finance, HR,
security, and IT teams. Identify the traffic you want to prioritize for decryption.
Consider traffic you may need to exclude from decryption for technical, legal, or
other reasons. Consider if you need to create separate decryption policy rules or
decryption profiles to handle traffic to and from various user groups, devices, or
applications.
Plan your PKI rollout. Proper certificate management and handling of user
traffic is critical in the decryption planning process. Consider which certificates
you need and how to generate them. Will you use an enterprise CA or a self-signed
root CA certificate? Think about edge cases, such as guest users or personal devices
on your network. Ensure network devices have valid certificates.
Size your NGFW to account for current and future needs.
Decryption can be resource-intensive. The amount of decryption an NGFW can support depends on various factors, including volume of SSL traffic, TLS
versions, cipher suites, and authentication methods. Work with Palo Alto Networks
representations to properly size deployments to meet your requirements. Make sure
your NGFW deployment can meet performance expectations when
decrypting at work.
Deploy decryption in phases. Plan each phase, including the education of
stakeholders and proof of concepts. Evaluate user experiences, generate
decryption reports, and verify effectiveness at each stage. Refine decryption
policy rules and profiles as needed.
If enabling SSL/TLS decryption, use the Get Started with SSL Decryption resource as a guide for an initial deployment. This topic
includes steps for:
creating a no-decryption policy rule to understand the websites and
applications end users access
creating a low-risk proof of concept
using decryption logs to identify and mitigate issues
Familiarize yourself with SSL decryption and use the insights from each step to
turn a proof of concept into a deployment aligned with business and other
considerations.
