Work With Decryption (APIs)
Table of Contents
Expand all | Collapse all
-
- Upgrade a Firewall to the Latest PAN-OS Version (API)
- Show and Manage GlobalProtect Users (API)
- Query a Firewall from Panorama (API)
- Upgrade PAN-OS on Multiple HA Firewalls through Panorama (API)
- Automatically Check for and Install Content Updates (API)
- Enforce Policy using External Dynamic Lists and AutoFocus Artifacts (API)
- Configure SAML 2.0 Authentication (API)
- Quarantine Compromised Devices (API)
- Manage Certificates (API)
-
- Asynchronous and Synchronous Requests to the PAN-OS XML API
- Run Operational Mode Commands (API)
- Apply User-ID Mapping and Populate Dynamic Groups (API)
- Get Version Info (API)
-
- PAN-OS REST API
- Access the PAN-OS REST API
- Resource Methods and Query Parameters (REST API)
- PAN-OS REST API Request and Response Structure
- PAN-OS REST API Error Codes
- Work With Objects (REST API)
- Create a Security Policy Rule (REST API)
- Work with Policy Rules on Panorama (REST API)
- Create a Tag (REST API)
- Configure a Security Zone (REST API)
- Configure an SD-WAN Interface (REST API)
- Create an SD-WAN Policy Pre Rule (REST API)
- Configure an Ethernet Interface (REST API)
- Update a Virtual Router (REST API)
- Work With Decryption (APIs)
Work With Decryption (APIs)
Automate the workflow to create decryption rules, add
them to Security decryption policy rules, and push them to devices.
Use the REST API to automate the workflow
when you set up decryption policy rules for your firewalls. This
example shows how to create a decryption profile and a decryption
forwarding profile and then to include both in a decryption policy
rule. With decryption policy rules, you can decrypt traffic and
send decryption logs to support private analysis where third-party
security appliances can add additional enforcement for traffic that
the firewall should allow. You must have a Network Packet Broker license
for this example. Review How Network Packet Broker Works for more information about decryption forwarding
and creating a security chain,.
This
example describes setting up a Layer 3 security chain to forward
decrypted SSL traffic (see Layer 3 Security Chain Guidelines).
- Configure two Layer 3 interfaces over which to
forward decrypted traffic.This following POST request configures the Ethernet interface ethernet1/6 with decryption forwarding for use as a dedicate interface for decrypted traffic.curl -X POST 'https://10.55.152.39/restapi/v11.0/Network/EthernetInterfaces?name=ethernet1/6' -H 'X-PAN-KEY: LUFRP==' -d '{ "entry": { "@name": "ethernet1/6", "layer3": { "decrypt-forward": "yes", "lldp": { "enable": "no" }, "ndp-proxy": { "enabled": "no" } } } }'The resulting success message:{ "@code": "20", "@status": "success", "msg": "command succeeded" }
- Create a virtual router to enable decryption port forwarding.
The following POST requests uses two Ethernet interfaces dedicated to decryption: ethernet1/5 and ethernet1/6. The virtual router must be dedicated to the decryption forwarding interfaces to ensure that the clear text sessions that the firewall forwards for additional analysis are completely separated from dataplane traffic.curl -X POST 'https://10.55.152.39/restapi/v11.0/Network/VirtualRouters?name=decrypttest' -H 'X-PAN-KEY: LUFRP==’ -d ' { "entry": { "@name": "decrypttest", "ecmp": { "algorithm": { "ip-modulo": {} } }, "interface": { "member": [ "ethernet1/5", "ethernet1/6" ] }, "protocol": { "bgp": { "enable": "no", "routing-options": { "graceful-restart": { "enable": "yes" } } }, "ospf": { "enable": "no" }, "ospfv3": { "enable": "no" }, "rip": { "enable": "no" } } } }'The resulting success message:{ "@code": "20", "@status": "success", "msg": "command succeeded" }- Create a Decryption Profile.
The following POST request creates a decryption profile that defines the traffic and settings for blocking and allowing traffic in a decryption policy rule. For information on each of the options available for configuration, review how to Define Traffic to Decrypt.curl -X POST 'https://10.55.152.39/restapi/v11.0/Objects/DecyptionProfiles?name=jl-test&location=vsys&=vsys1&input-format=json' -h 'X-PAN-KEY: LUFRPT' -d '{ "entry": { "@name": "decryptProfileTest", "ssh-proxy": { "block-if-no-resource": "no", "block-ssh-errors": "no", "block-unsupported-alg": "no", "block-unsupported-version": "no" }, "ssl-forward-proxy": { "auto-include-altname": "no", "block-client-cert": "no", "block-expired-certificate": "no", "block-if-no-resource": "no", "block-timeout-cert": "no", "block-tls13-downgrade-no-resource": "no", "block-unknown-cert": "no", "block-unsupported-cipher": "no", "block-unsupported-version": "no", "block-untrusted-issuer": "no", "restrict-cert-exts": "no", "strip-alpn": "no" }, "ssl-inbound-proxy": { "block-if-no-resource": "no", "block-tls13-downgrade-no-resource": "no", "block-unsupported-cipher": "no", "block-unsupported-version": "no" }, "ssl-no-proxy": { "block-expired-certificate": "no", "block-untrusted-issuer": "no" }, "ssl-protocol-settings": { "auth-algo-md5": "no", "auth-algo-sha1": "yes", "auth-algo-sha256": "yes", "auth-algo-sha384": "yes", "enc-algo-3des": "yes", "enc-algo-aes-128-cbc": "yes", "enc-algo-aes-128-gcm": "yes", "enc-algo-aes-256-cbc": "yes", "enc-algo-aes-256-gcm": "yes", "enc-algo-chacha20-poly1305": "yes", "enc-algo-rc4": "yes", "keyxchg-algo-dhe": "yes", "keyxchg-algo-ecdhe": "yes", "keyxchg-algo-rsa": "yes", "max-version": "tls1-2", "min-version": "tls1-0" } } }'The resulting success message:{ "@code": "20", "@status": "success", "msg": "command succeeded" }- Create a Decryption Forwarding Profile.
The following POST request creates a bidirectional security chain with devices at 1.1.1.1 and 1.1.1.2 using the Ethernet interfaces you created earlier in this task.curl -X POST 'https://10.55.152.39/restapi/v11.0/Objects/DecryptionForwardingProfiles?name=decryptionForwardTest&location=vsys&vsys=vsys1' -H 'X-PAN-KEY: LUFRP==' -d '{ "entry": { "@location": "vsys", "@name": "decryptionForwardTest", "@vsys": "vsys1", "flow": "bidirectional", "health-check": { "http-enable": "no", "http-latency-enable": "no", "path-enable": "no" }, "interface-primary": "ethernet1/5", "interface-secondary": "ethernet1/6", "routed": { "security-chain": { "entry": [ { "@name": "testchain", "enable": "yes", "first-device": "1.1.1.1", "last-device": "1.1.1.2" } ] } } } }'The resulting success message:{ "@code": "20", "@status": "success", "msg": "command succeeded" }- Create a decryption policy using the decryption profile and decryption forwarding profile you created before.
The following POST requests defines the traffic source zones and destinations to enable decryption based on the testdecryptionprofile and testdecryptionforwading profiles.curl -X POST 'https://10.55.152.39/restapi/v11.0/Policies/DecryptionRules?name=jltestrule&location=vsys&vsys=vsys1' -H 'X-PAN-KEY: LUFRP' -d '{ "entry": { "@location": "vsys", "@name": "jltestrule", "@uuid": "b4d66137-9678-4b9d-9105-e881899d1125", "@vsys": "vsys1", "action": "decrypt-and-forward", "category": { "member": [ "any" ] }, "destination": { "member": [ "any" ] }, "destination-hip": { "member": [ "any" ] }, "forwarding-profile": "testdecryptionforwarding", "from": { "member": [ "l3-untrust" ] }, "negate-source": "no", "profile": "testdecryptionprofile", "service": { "member": [ "any" ] }, "source": { "member": [ "Test" ] }, "source-hip": { "member": [ "any" ] }, "source-user": { "member": [ "any" ] }, "to": { "member": [ "l2-trust" ] }, "type": { "ssl-forward-proxy": {} } } }'The resulting success message:{ "@code": "20", "@status": "success", "msg": "command succeeded" } - Create a virtual router to enable decryption port forwarding.