Network Security
Deploy Decryption in Stages
Table of Contents
Expand All
|
Collapse All
Network Security Docs
-
- Security Policy
-
- Security Profile Groups
- Security Profile: AI Security
- Security Profile: WildFire® Analysis
- Security Profile: Antivirus
- Security Profile: Vulnerability Protection
- Security Profile: Anti-Spyware
- Security Profile: DNS Security
- Security Profile: DoS Protection Profile
- Security Profile: File Blocking
- Security Profile: URL Filtering
- Security Profile: Data Filtering
- Security Profile: Zone Protection
-
- Policy Object: Address Groups
- Policy Object: Regions
- Policy Object: Traffic Objects
- Policy Object: Applications
- Policy Object: Application Groups
- Policy Object: Application Filter
- Policy Object: Services
- Policy Object: Auto-Tag Actions
- Policy Object: Devices
-
- Uses for External Dynamic Lists in Policy
- Formatting Guidelines for an External Dynamic List
- Built-in External Dynamic Lists
- Configure Your Environment to Access an External Dynamic List
- Configure your Environment to Access an External Dynamic List from the EDL Hosting Service
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Policy Object: HIP Objects
- Policy Object: Schedules
- Policy Object: Quarantine Device Lists
- Policy Object: Dynamic User Groups
- Policy Object: Custom Objects
- Policy Object: Log Forwarding
- Policy Object: Authentication
- Policy Object: Decryption Profile
- Policy Object: Packet Broker Profile
-
-
-
- The Quantum Computing Threat
- How RFC 8784 Resists Quantum Computing Threats
- How RFC 9242 and RFC 9370 Resist Quantum Computing Threats
- Support for Post-Quantum Features
- Post-Quantum Migration Planning and Preparation
- Best Practices for Resisting Post-Quantum Attacks
- Learn More About Post-Quantum Security
-
-
-
- Investigate Reasons for Decryption Failure
- Identify Weak Protocols and Cipher Suites
- Troubleshoot Version Errors
- Troubleshoot Unsupported Cipher Suites
- Identify Untrusted CA Certificates
- Repair Incomplete Certificate Chains
- Troubleshoot Pinned Certificates
- Troubleshoot Expired Certificates
- Troubleshoot Revoked Certificates
Deploy Decryption in Stages
Roll out decryption in stages to prepare users and tech support for website and
application access changes and for ease in evaluating how different changes affect
applications.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
No separate license required for decryption when using NGFWs or
Prisma Access.
Note: The features and capabilities available to you in
Strata Cloud Manager depend on your active license(s).
|
Plan to roll out decryption in a controlled manner, piece by piece. Don’t roll out your
entire decryption deployment at once. Test and ensure that decryption is working as
planned and that users understand what you're doing and why. Rolling out decryption in
this manner makes it easier to troubleshoot in case anything doesn’t work as expected
and helps users adjust to the changes.
Educating stakeholders, employees, and other users such as contractors and partners is
critical because decryption settings may change their ability to access some websites,
especially risky or nonbusiness critical ones. Users should understand how to respond to
situations in which previously reachable websites become unreachable and what
information to give to technical support. Support should understand what is being rolled
out when and how to help users who encounter issues.
Before you roll out decryption to the general population:
- Identify early adopters to help champion decryption and who will be able to help other employees who have questions during the full rollout. Enlist the help of department managers and help them understand the benefits of decrypting traffic.
- Set up proof of concept (PoC) trials in each department with early adopters
and other employees who understand why decrypting traffic is important. Educate PoC
participants about the changes and how to contact technical support if they run into
issues. In this way, a decryption PoC becomes an opportunity to work with technical
support to PoC how to support decryption and develop the most painless method for
supporting the general rollout. The interaction between PoC participants and
technical support also allows you to fine-tune decryption policy rules and how to
communicate with users. The PoC enables you to experiment with prioritizing what to decrypt first, so that when you phase in decryption in the general population, you understand how to phase in decryption of different URL categories. Measure the way decryption affects Next-Generation Firewall (NGFW) CPU and memory utilization to help understand if the NGFW sizing is correct or if you need to upgrade. The PoC can also reveal applications that break decryption technically (decrypting them blocks their traffic) and should be added to the SSL Decryption Exclusion List.When you set up proof of concepts, also set up a user group that can certify the operational readiness and procedures prior to the general rollout.
- Educate the user population before the general rollout, and plan to educate new users as they join the company. This is a critical phase of deploying decryption because the deployment may affect websites that users previously visited but are not safe, so those sites are no longer reachable. The PoC experience helps identify the most important points to communicate.
- Phase in decryption. You can accomplish this in several ways:
- Decrypt the highest priority traffic first (for example, the URL categories most likely to harbor malicious traffic, such as gaming) and then decrypt more as you gain experience.
- Take a more conservative approach and decrypt the URL categories that don’t affect your business first (for example, news feeds), so if something goes wrong, no issues occur that affect your business.In all cases, the best way to phase in decryption is to do the following:
- Decrypt a few URL categories
- Take user feedback into account
- Run reports to ensure that decryption is working as expected (if possible)
- Gradually decrypt a few more categories, verify, and so on
Additional Considerations:- Plan to make decryption exclusions for traffic you can’t decrypt for technical reasons or that you choose not to decrypt.
- If you enable users to opt out of SSL decryption (users see a response page that allows them either to opt out of decryption and end the session without going to the site or to proceed to the site and agree to have the traffic decrypted), educate them about what it is, why they’re seeing it, and what their options are.
- Create realistic deployment schedules that allow time to evaluate each stage of the rollout.
Place NGFWs in positions where they can see all network traffic so that no
encrypted traffic inadvertently gains access to your network because it bypasses the
NGFW.