a Decryption Profile
A decryption profile allows you to perform checks on both decrypted traffic and traffic that you have excluded from decryption. Create a decryption profile to:
- Block sessions using unsupported protocols, cipher suits, or sessions that require client authentication.
- Block sessions based on certificate status, where the certificate is expired, is signed by an untrusted CA, has extensions restricting the certificate use, has an unknown certificate status, or the certificate status can’t be retrieved during a configured timeout period.
- Block sessions if the resources to perform decryption are not available or if a hardware security module is not available to sign certificates.
After you create a decryption profile, you can attach it to a decryption policy rule; the firewall then enforces the decryption profile settings on traffic matched to the decryption policy rule.
Palo Alto Networks firewalls include a default decryption profile that you can use to enforce the basic recommended protocol versions and cipher suites for decrypted traffic.
- Select,ObjectsDecryption ProfileAddor modify a decryption profile rule, and give the rule a descriptiveName.
- (Optional)Allow the profile rule to beSharedacross every virtual system on a firewall or every Panorama device group.
- (Decryption Mirroring Only)To Configure Decryption Port Mirroring, enable an EthernetInterfacefor the firewall to use to copy and forward decrypted traffic.Decryption mirroring requires a decryption port mirror license.
- SelectSSL Decryption:
- SelectSSL Forward Proxyto configure settings to verify certificates, enforce protocol versions and cipher suites, and perform failure checks on SSL decrypted traffic. These settings are active only when this profile is attached to a decryption policy rule that is set to perform SSL Forward Proxy decryption.
- SelectSSL Inbound Inspectionto configure settings enforce protocol versions and cipher suites and to perform failure checks on inbound SSL traffic. These settings are active only when this profile is attached to a decryption policy rule that is set to perform SSL Inbound Inspection.
- SelectSSL Protocol Settingsto configure minimum and maximum protocol versions and key exchange, encryption, and authentication algorithms to enforce for SSL traffic. These settings are active when this profile is attached to decryption policy rules that are set to perform either SSL Forward Proxy decryption or SSL Inbound Inspection.
- (Optional)Block and control traffic (for example, a URL category) for which you have disabled decryption.SelectNo Decryptionand configure settings to validate certificates for traffic that is excluded from decryption.These setting are active only when the decryption profile is attached to a decryption policy rule that disables decryption for certain traffic.
- (Optional)Block and control SSH traffic undergoing SSH Proxy decryption.SelectSSH Proxyand configure settings to enforce supported protocol versions andThese settings are active only when the decryption profile is attached to a decryption policy rule that decrypts SSH traffic.
- Add the decryption profile rule to a decryption policy rule.Traffic that the policy rules matches to is enforced based on the additional profile rule settings.
- Selectand Create a Decryption Policy Rule or modify an existing rule.PoliciesDecryption
- SelectOptionsand select aDecryption Profileto block and control various aspects of the traffic matched to the rule.The profile rule settings that are applied to matching traffic depend on the policy rule Action (Decrypt or No Decrypt) and the policy rule Type (SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy). This allows you to use the default decryption profile, standard decryption profile customized for your organization, with different types of decryption policy rules.
- Committhe configuration.
Recommended For You
Recommended videos not found.