Focus

Plan a Staged, Prioritized Deployment

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Size the Decryption Firewall Deployment

Define Traffic to Decrypt

Plan a Staged, Prioritized Deployment

Deploying decryption can change the reachability of websites that users may be used to accessing if those sites are risky or don’t support your business. A staged rollout prepares the user population and tech support for changes, and enables you to test how the rollout affects applications.

Plan to roll out decryption in a controlled manner, piece by piece. Don’t roll out your entire decryption deployment at one time. Test and ensure that decryption is working as planned and that users understand what you are doing and why. Rolling out decryption in this manner makes it easier to troubleshoot in case anything doesn’t work as expected and helps users adjust to the changes.

Educating stakeholders, employees, and other users such as contractors and partners is critical because decryption settings may change their ability to access some websites. Users should understand how to respond to situations in which previously reachable websites become unreachable and what information to give technical support. Support should understand what is being rolled out when and how to help users who encounter issues. Before you roll out decryption to the general population:

Identify early adopters to help champion decryption and who will be able to help other employees who have questions during the full rollout. Enlist the help of department managers and help them understand the benefits of decrypting traffic.
Set up proof-of-concept (POC) trials in each department with early adopters and other employees who understand why decrypting traffic is important. Educate POC participants about the changes and how to contact technical support if they run into issues. In this way, decryption POCs become an opportunity to work with technical support to POC how to support decryption and to develop the most painless method for supporting the general rollout. The interaction between POC users and technical support also allows you to fine-tune policies and how to communicate with users.
POCs enable you to experiment with prioritizing what to decrypt first, so that when you phase in decryption in the general population, your POC experience helps you understand how to phase in decrypting different URL Categories. Measure the way decryption affects firewall CPU and memory utilization to help understand if the firewall sizing is correct or if you need to upgrade. POCs can also reveal applications that break decryption technically (decrypting them blocks their traffic) and need to be added to the Decryption Exclusion list.
When you set up POCs, also set up a user group that can certify the operational readiness and procedures prior to the general rollout.
Educate the user population before the general rollout, and plan to educate new users as they join the company. This is a critical phase of deploying decryption because the deployment may affect websites that users previously visited but are not safe, so those sites are no longer reachable. The POC experience helps identify the most important points to communicate.
Phase in decryption. You can accomplish this several ways. You can decrypt the highest priority traffic first (for example, the URL Categories most likely to harbor malicious traffic, such as gaming) and then decrypt more as you gain experience. Alternatively, you can take a more conservative approach and decrypt the URL Categories that don’t affect your business first (so if something goes wrong, no issues occur that affect business), for example, news feeds. In all cases, the best way to phase in decryption is to decrypt a few URL Categories, take user feedback into account, run reports to ensure that decryption is working as expected, and then gradually decrypt a few more URL Categories and verify, and so on. Plan to make Decryption Exclusions to exclude sites from decryption if you can’t decrypt them for technical reasons or because you choose not to decrypt them.
If you Enable Users to Opt Out of SSL Decryption (users see a response page that allows them either to opt out of decryption and end the session without going to the site or to proceed to the site and agree to have the traffic decrypted), educate them about what it is, why they’re seeing it, and what their options are.
Create realistic deployment schedules that allow time to evaluate each stage of the rollout.

Place firewalls in positions where they can see all of the network traffic so that no encrypted traffic inadvertently gains access to your network because it bypasses the firewall.

Size the Decryption Firewall Deployment

Define Traffic to Decrypt

Next-Generation Firewall Docs

Plan a Staged, Prioritized Deployment

Next-Generation Firewall Docs

Plan a Staged, Prioritized Deployment

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner