End-of-Life (EoL)

Create a Decryption Profile

A decryption profile allows you to perform checks on both decrypted traffic and traffic that you have excluded from decryption. Create a decryption profile to:
  • Block sessions using unsupported protocols, cipher suits, or sessions that require client authentication.
  • Block sessions based on certificate status, where the certificate is expired, is signed by an untrusted CA, has extensions restricting the certificate use, has an unknown certificate status, or the certificate status can’t be retrieved during a configured timeout period.
  • Block sessions if the resources to perform decryption are not available or if a hardware security module is not available to sign certificates.
After you create a decryption profile, you can attach it to a decryption policy rule; the firewall then enforces the decryption profile settings on traffic matched to the decryption policy rule.
Palo Alto Networks firewalls include a default decryption profile that you can use to enforce the basic recommended protocol versions and cipher suites for decrypted traffic.
  1. Select
    Objects
    Decryption Profile
    ,
    Add
    or modify a decryption profile rule, and give the rule a descriptive
    Name
    .
  2. (Optional)
    Allow the profile rule to be
    Shared
    across every virtual system on a firewall or every Panorama device group.
  3. (Decryption Mirroring Only)
    To Configure Decryption Port Mirroring, enable an Ethernet
    Interface
    for the firewall to use to copy and forward decrypted traffic.
    Decryption mirroring requires a decryption port mirror license.
  4. (Optional)
    Block and control SSL tunneled and/or inbound traffic undergoing SSL Forward Proxy decryption or SSL Inbound Inspection.
    Select
    SSL Decryption
    :
    • Select
      SSL Forward Proxy
      to configure settings to verify certificates, enforce protocol versions and cipher suites, and perform failure checks on SSL decrypted traffic. These settings are active only when this profile is attached to a decryption policy rule that is set to perform SSL Forward Proxy decryption.
    • Select
      SSL Inbound Inspection
      to configure settings enforce protocol versions and cipher suites and to perform failure checks on inbound SSL traffic. These settings are active only when this profile is attached to a decryption policy rule that is set to perform SSL Inbound Inspection.
    • Select
      SSL Protocol Settings
      to configure minimum and maximum protocol versions and key exchange, encryption, and authentication algorithms to enforce for SSL traffic. These settings are active when this profile is attached to decryption policy rules that are set to perform either SSL Forward Proxy decryption or SSL Inbound Inspection.
  5. (Optional)
    Block and control traffic (for example, a URL category) for which you have disabled decryption.
    Select
    No Decryption
    and configure settings to validate certificates for traffic that is excluded from decryption.
    These setting are active only when the decryption profile is attached to a decryption policy rule that disables decryption for certain traffic.
  6. (Optional)
    Block and control SSH traffic undergoing SSH Proxy decryption.
    Select
    SSH Proxy
    and configure settings to enforce supported protocol versions and
    These settings are active only when the decryption profile is attached to a decryption policy rule that decrypts SSH traffic.
  7. Add the decryption profile rule to a decryption policy rule.
    Traffic that the policy rules matches to is enforced based on the additional profile rule settings.
    1. Select
      Policies
      Decryption
      and Create a Decryption Policy Rule or modify an existing rule.
    2. Select
      Options
      and select a
      Decryption Profile
      to block and control various aspects of the traffic matched to the rule.
      The profile rule settings that are applied to matching traffic depend on the policy rule Action (Decrypt or No Decrypt) and the policy rule Type (SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy). This allows you to use the default decryption profile, standard decryption profile customized for your organization, with different types of decryption policy rules.
    3. Click
      OK
      .
  8. Commit
    the configuration.

Recommended For You