Settings to Control Decrypted Traffic
Table of Contents
11.0 (EoL)
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT > DHCP Server
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
End-of-Life (EoL)
Settings to Control Decrypted Traffic
The following table describes the settings you can use
to control traffic that the firewall decrypted using either Forward
Proxy decryption or Inbound Inspection (including the SSL Protocol
Settings tab). You can use these settings to limit or block TLS
sessions based on criteria including the status of the external
server certificate, the use of unsupported cipher suites or protocol
versions, or the availability of system resources to process decryption.
SSL Decryption Tab
Settings | Description |
---|---|
SSL FORWARD PROXY TAB Select
options to limit or block TLS traffic decrypted using Forward Proxy. | |
Server Certificate Validation—Select
options to control server certificates for decrypted traffic. | |
Block sessions with expired certificates | Terminate the TLS connection if the server
certificate is expired. This prevents users from accepting expired
certificates and continuing with an TLS session. Block sessions with expired certificates to
prevent access to potentially insecure sites. |
Block sessions with untrusted issuers | Terminate the TLS session if the server
certificate issuer is untrusted. Block
sessions with untrusted issuers because an untrusted issuer may
indicate a man-in-the-middle attack, a replay attack, or another
attack. |
Block sessions with unknown certificate status | Terminate the TLS session if a server returns
a certificate revocation status of “unknown”. Certificate revocation
status indicates if trust for the certificate has been or has not
been revoked. Block sessions with unknown
certificate status for the tightest security. However, because certificate
status may be unknown for a variety of reasons, this may tighten
security too much. If blocking unknown certificate status affects
sites you need to use for business, don’t block sessions with unknown
certificate status. |
Block sessions on SNI mismatch with Server Certificate (SAN/CN) |
Automatically deny any sessions where the Server Name Indication
(SNI) does not match the server certificate. Palo Alto Networks
recommends enabling this option if you configure an explicit proxy or transparent proxy. For
more information, refer to Configure a Web Proxy in
the PAN-OS Networking Administrator's
Guide.
|
Block sessions on the certificate status check
timeout | Terminate the TLS session if the certificate
status cannot be retrieved within the amount of time that the firewall
is configured to stop waiting for a response from a certificate
status service. You can configure Certificate Status
Timeout value when creating or modifying a certificate
profile (DeviceCertificate
ManagementCertificate Profile). Blocking
sessions when the status check times out is a tradeoff between tighter
security and a better user experience. If certificate revocation
servers respond slowly, blocking on a timeout may block sites that
have valid certificates. You can increase the timeout value for
Certificate Revocation Checking (CRL) and Online Certificate Status Protocol
(OCSP) if you are concerned about timing out valid certificates. |
Restrict certificate extensions | Limits the certificate extensions used in
the dynamic server certificate to key usage and extended key usage. Restrict certificate extensions if your deployment
requires no other certificate extensions. |
Append certificate's CN value to SAN extension | Enable the firewall to add a Subject Alternative
Name (SAN) extension to the impersonation certificate it presents
to clients as part of Forward Proxy decryption. When a server certificate
contains only a Common Name (CN), the firewall adds a SAN extension
to the impersonation certificate based on the server certificate
CN. This option is useful in cases where browsers require server certificates
to use a SAN and no longer support certificate matching based on
CNs; it ensures that end users can continue to access their requested
web resources and that the firewall can continue to decrypt sessions
even if a server certificate contains only a CN.Append
the certificate’s CN value to the SAN extension to help ensure access
to requested web resources. |
Unsupported Mode Checks—Select
options to control unsupported TLS applications. | |
Block sessions with unsupported versions | Terminate sessions if PAN-OS does not support
the “client hello” message. PAN-OS supports SSLv3, TLSv1.0, TLSv1.1,
TLSv1.2, and TLSv1.3. Always block
sessions with unsupported versions to prevent access to sites with
weak protocols. On the SSL Protocol Settings tab,
set the minimum Protocol Version to TLSv1.2 to block sites with
weak protocol versions. If a site you need to access for business
purposes uses a weaker protocol, create a separate Decryption profile
that allows the weaker protocol and specify it in a Decryption policy
rule that applies only to the sites for which you must allow the
weaker protocol. |
Block sessions with unsupported cipher suites | Terminate the session if the cipher suite
specified in the TLS handshake if it is not supported by PAN-OS. Block sessions that use cipher suites you
don’t support. You configure which cipher suites (encryption algorithms)
to allow on the SSL Protocol Settings tab.
Don’t allow users to connect to sites with weak cipher suites. |
Block sessions with client authentication | Terminate sessions with client authentication
for Forward Proxy traffic. Block sessions
with client authentication unless an important application requires
it, in which case you should create a separate Decryption profile
and apply it only to traffic that requires client authentication. |
Failure Checks—Select
the action to take if system resources are not available to process
decryption. | |
Block sessions if resources not available | Terminate sessions if system resources are
not available to process decryption. Whether to block sessions
when resources aren’t available is a tradeoff between tighter security
and a better user experience. If you don’t block sessions when resources
aren’t available, the firewall won’t be able to decrypt traffic
that you want to decrypt when resources are impacted. However, blocking
sessions when resources aren’t available may affect the user experience
because sites that are normally reachable may become temporarily
unreachable. |
Block sessions if HSM not available | Terminate sessions if a hardware security
module (HSM) is not available to sign certificates. Whether
to block sessions if the HSM isn’t available depends on your compliance
rules about where private keys must come from and how you want to
handle encrypted traffic if the HSM isn’t available. |
Block downgrade on no resources | Terminate the session if system resources
are not available to process the TLSv1.3 handshake (instead of downgrading
to TLSv1.2). Whether to block sessions when resources aren’t
available is a tradeoff between tighter security and a better user
experience. If you block downgrading the handshake to TLSv1.2 when
TLSv1.3 resources aren’t available, the firewall drops the session.
If you do not block downgrading the handshake, then if resources
aren’t available for the TLSv1.3 handshake, the firewall downgrades
to TLSv1.2. |
Client Extension | |
Strip ALPN | The firewall processes and inspects HTTP/2
traffic by default. However, you can disable HTTP/2 inspection by
specifying for the firewall to Strip ALPN.
With this option selected, the firewall removes any value contained
in the Application-Layer Protocol Negotiation (ALPN) TLS extension). Because
ALPN is used to secure HTTP/2 connections, when there is no value
specified for this TLS extension, the firewall either downgrades
HTTP/2 traffic to HTTP/1.1 or classifies it as unknown TCP traffic. |
For unsupported modes
and failure modes, the session information is cached for 12 hours,
so future sessions between the same hosts and server pair are not
decrypted. Enable the options to block those sessions instead. | |
SSL INBOUND INSPECTION TAB Select
options to limit or block traffic decrypted using Inbound Inspection. | |
Unsupported Mode Checks—Select
options to control sessions if unsupported modes are detected in
TLS traffic. | |
Block sessions with unsupported versions | Terminate sessions if PAN-OS does not support
the “client hello” message. PAN-OS supports SSLv3, TLSv1.0, TLSv1.1,
TLSv1.2, and TLSv1.3. Always block
sessions with unsupported versions to prevent access to sites with
weak protocols. On the SSL Protocol Settings tab,
set the minimum Protocol Version to TLSv1.2 to block sites with
weak protocol versions. If a site you need to access for business
purposes uses a weaker protocol, create a separate Decryption profile
that allows the weaker protocol and specify it in a Decryption policy
rule that applies only to the sites for which you must allow the
weaker protocol. |
Block sessions with unsupported cipher suites | Terminate the session if the cipher suite
used is not supported by PAN-OS. Block
sessions that use cipher suites you don’t support. You configure
which cipher suites (encryption algorithms) to allow on the SSL
Protocol Settings tab. Don’t allow users to connect
to sites with weak cipher suites. |
Failure Checks—Select
the action to take if system resources are not available. | |
Block sessions if resources not available | Terminate sessions if system resources are
not available to process decryption. Whether to block sessions
when resources aren’t available is a tradeoff between tighter security
and a better user experience. If you don’t block sessions when resources
aren’t available, the firewall won’t be able to decrypt traffic
that you want to decrypt when resources are impacted. However, blocking
sessions when resources aren’t available may affect the user experience
because sites that are normally reachable may become temporarily
unreachable. |
Block sessions if HSM not available | Terminate sessions if a hardware security
module (HSM) is not available to decrypt the session key. Whether
to block sessions if the HSM isn’t available depends on your compliance
rules about where private keys must come from and how you want to
handle encrypted traffic if the HSM isn’t available. |
Block downgrade on no resources | Terminate the session if system resources
are not available to process the TLSv1.3 handshake (instead of downgrading
to TLSv1.2). Whether to block sessions when resources aren’t
available is a tradeoff between tighter security and a better user
experience. If you block downgrading the handshake to TLSv1.2 when
TLSv1.3 resources aren’t available, the firewall drops the session.
If you do not block downgrading the handshake, then if resources
aren’t available for the TLSv1.3 handshake, the firewall downgrades
to TLSv1.2. |
SSL PROTOCOL SETTINGS TAB Select
the following settings to enforce protocol versions and cipher suites
for TLS session traffic. | |
Protocol Versions | Enforce the use of minimum and maximum protocol
versions for the TLS session. |
Min Version | Set the minimum protocol version that can
be used to establish the TLS connection. Set
the Min Version to TLSv1.2 to provide the strongest security. Review
sites that don’t support TLSv1.2 to see if they really have a legitimate
business purpose. For sites you need to access that don’t support
TLSv1.2, create a separate Decryption profile that specifies the
strongest protocol version they support and apply it to a Decryption
policy rule that limits the use of the weak version to only the
necessary sites, from only the necessary sources (zones, addresses,
users). |
Max Version | Set the maximum protocol version that can
be used to establish the TLS connection. You can choose the option
Max so that no maximum version is specified; in this case, protocol
versions that are equivalent to or are a later version than the
selected minimum version are supported. Set
the Max Version to Max so that as protocols
improve, the firewall automatically supports them. However,
if your Decryption policy supports mobile applications, many of
which use pinned certificates, set the Max Version to TLSv1.2.
Because TLSv1.3 encrypts certificate information that was not encrypted
in previous TLS versions, the firewall can’t automatically add decryption exclusions
based on certificate information, which affects some mobile applications.
Therefore, if you enable TLSv1.3, the firewall may drop some mobile
application traffic unless you create a No Decryption policy for
that traffic. If you know the mobile applications you use for business,
consider creating a separate Decryption policy and profile for those
applications so that you can enable TLSv1.3 for all other traffic. |
Key Exchange Algorithms | Enforce the use of the selected key exchange
algorithms for the TLS session. All three algorithms (RSA, DHE,
and ECDHE) are enabled by default. The DHE (Diffie-Hellman)
and ECDHE (elliptic curve Diffie-Hellman)
enable Perfect Forward Secrecy (PFS) for
Forward Proxy or Inbound Inspection decryption. |
Encryption Algorithms | Enforce the use of the selected encryption
algorithms for the TLS session. Don’t
support the weak 3DES or RC4 encryption
algorithms. (The firewall automatically blocks these two algorithms
when you use TLSv1.2 or greater as the minimum protocol version.)
If you have to make an exception and support a weaker protocol version,
uncheck 3DES and RC4 in
the Decryption profile. If there are sites you must access for business
purposes that use 3DES or RC4 encryption
algorithms, create a separate Decryption profile and apply it to
a Decryption policy rule for just those sites. |
Authentication Algorithms | Enforce the use of the selected authentication
algorithms for the TLS session. Block
the old, weak MD5 algorithm (blocked by default). If no necessary
sites use SHA1 authentication, block SHA1. If any sites you require
for business purposes use SHA1, create a separate Decryption profile
and apply it to a Decryption policy rule for just those sites. |