SSL Forward Proxy Decryption Profile

The SSL Forward Proxy Decryption profile blocks risky outbound sessions, verifies certificates, and provides session failure checks.
The SSL Forward Proxy Decryption profile (
Objects
Decryption Profile
SSL Decryption
SSL Forward Proxy
) controls the server verification, session mode checks, and failure checks for outbound traffic defined in SSL Forward Proxy Decryption policies to which you attach the profile. The following figure shows the general best practice recommendations for SSL Forward Proxy Decryption profile settings, but the settings you use also depend on your company’s security compliance rules and local laws and regulations. There are also specific best practices for perimeter internet gateway decryption profiles and for data center decryption profiles.
ssl-forward-proxy-best-practice-decryption-profile.png
Server Certificate Verification:
  • Block sessions with expired certificates
    —Always check this box to block sessions with servers that have expired certificates and prevent access to potentially insecure sites. If you don’t check this box, users can connect with and transact with potentially malicious sites and see warning messages when they attempt to connect, but the connection is not prevented.
  • Block sessions with untrusted issuers
    —Always check this box to block sessions with servers that have untrusted certificate issuers. An untrusted issuer may indicate a man-in-the-middle attack, a replay attack, or other attack.
  • Block sessions with unknown certificate status
    —Blocks the SSL session when a the certificate revocation status of the server returns with the status “unknown”. Because certificate status may be unknown for multiple reasons, for general decryption security, checking this box usually tightens security too much. However, in higher-security areas of the network such as the data center, checking this box makes sense.
  • Block sessions on certificate status check timeout
    —Whether to block sessions if the status check times out depends on your company’s security compliance stance because it’s a tradeoff between tighter security and a better user experience. Certificate status verification examines the Certificate Revocation List (CRL) on a revocation server or uses Online Certificate Status Protocol (OCSP) to find out if the issuing CA has revoked the certificate and the certificate should not be trusted. However, revocation servers can be slow to respond, which can cause the session to timeout and the firewall to block the session even though the certificate may be valid. If you
    Block sessions on certificate status check timeout
    and the revocation server is slow to respond, you can use
    Device
    Setup
    Session
    Decryption Settings
    and click
    Certificate Revocation Checking
    to change the default timeout value of five seconds to another value. For example, you could increase the timeout value to eight seconds, as shown in the following figure. Enable both CRL and OCSP certificate revocation checking because server certificates can contain the CRL URL in the CRL Distribution Point (CDP) extension or the OCSP URL in the Authority Information Access (AIA) certificate extension.
    cert-revocation-checking-timeouts.png
  • Restrict certificate extensions
    —Checking this box limits the certificate extensions in the server certificate to key usage and extended key usage and blocks certificates with other extensions. However, in certain deployments, some other certificate extensions may be necessary, so only check this box if your deployment requires no other certificate extensions.
Unsupported Mode Checks. If you don’t block sessions with unsupported modes, users receive a warning message if they connect with potentially unsafe servers, and they can click through that message and reach the potentially dangerous site. Blocking these sessions protects you from servers that use weak, risky protocol versions and algorithms:
  • Block sessions with unsupported versions
    —When you configure the SSL Protocol Settings Decryption Profile, you specify the minimum version of SSL protocol to allow on your network to reduce the attack surface by blocking weak protocols. Always check this box to block sessions with the weak SSL protocol versions that you have chosen not to support.
  • Block sessions with unsupported cipher suites
    —Always check this box to block sessions if the firewall doesn’t support the cipher suite specified in the SSL handshake. You configure which algorithms the firewall supports on the
    SSL Protocol Settings
    tab of the Decryption profile.
  • Block sessions with client authentication
    —If you have no critical applications that require client authentication, block it because firewall can’t decrypt sessions that require client authentication. The firewall needs both the client and the server certificates to perform bi-directional decryption, but the firewall only knows the server certificate. This breaks decryption for client authentication sessions. When you check this box, the firewall blocks all sessions with client authentication except sessions from sites on the SSL Decryption Exclusion list (
    Device
    Certificate Management
    SSL Decryption Exclusion
    ).
    If you don’t
    Block sessions with client authentication
    , when the firewall attempts to decrypt a session that uses client authentication, the firewall allows the session and adds an entry in its local decrypt exclude cache that contains the server URL/IP address, the application, and the Decryption profile. Entries remain in the cache for 12 hours and then age out. If the same user or a different user attempts to access the serer within 12 hours using client authentication, the firewall matches the session to the decrypt exclude cache entry, does not attempt to decrypt the traffic, and allows the encrypted session.
    If the exclude cache becomes full, the firewall purges the oldest entries as new entries arrive. If you change the Decryption policy or profile, the firewall flushes the exclude cache because changing the policy or profile can change the classification outcome of the session.
    You may need to allow traffic on your network from other sites that use client authentication in addition to the Predefined sites on the SSL Decryption Exclusion list. Create a Decryption profile that allows sessions with client authentication. Add it to a Decryption policy rule that applies only to the server(s) that house the application. To increase security even more, you can require Multi-Factor Authentication to complete the user login process.
Failure Checks:
  • Block sessions if resources not available
    —If you don’t block sessions when firewall processing resources aren’t available, then encrypted traffic that you want to decrypt enters the network still encrypted, risking allowing potentially dangerous connections. However, blocking sessions when firewall processing resources aren’t available may affect the user experience by making sites that users normally can reach temporarily unreachable. Whether to implement failure checks depends on your company’s security compliance stance and the importance to your business of the user experience, weighed against tighter security. Alternatively, consider using firewall models with more processing power so that you can decrypt more traffic.
  • Block sessions if HSM not available
    —If you use a Hardware Security Module (HSM) to store your private keys, whether you use one depends on your compliance rules about where the private key must come from and how you want to handle encrypted traffic if the HSM isn’t available. For example, if your company mandates the use of an HSM for private key signing, then block sessions if the HSM isn’t available. However, if your company is less strict about this, then you can consider not blocking sessions if the HSM isn’t available. (If the HSM is down, the firewall can process decryption for sites for which it has cached the response from the HSM, but not for other sites.) The best practice in this case depends on your company’s policies. If the HSM is critical to your business, run the HSM in a high-availability (HA) pair (PAN-OS 8.0 supports two members in an HSM HA pair).

Related Documentation