SSL Protocol Settings Decryption Profile

The SSL Protocol Settings define the protocols and the key exchange, encryption, and authentication algorithms that the firewall accepts for outbound SSL Forward Proxy and inbound SSL Inbound Inspection traffic.
The SSL Protocol Settings (ObjectsDecryption ProfileSSL DecryptionSSL Protocol Settings) control whether you allow vulnerable SSL/TLS protocol versions, weak encryption algorithms, and weak authentication algorithms. SSL Protocol Settings apply to outbound SSL Forward Proxy and inbound SSL Inbound Inspection traffic. These settings don’t apply to SSH Proxy traffic or to traffic that you don’t decrypt.
The following figure shows the general best practice recommendations for SSL Protocol Settings. There are also specific best practices for perimeter internet gateway decryption profiles and for data center decryption profiles.
When you configure SSL Protocol Settings for SSL Inbound Inspection traffic, create separate profiles for servers with different security capabilities. For example, if one set of servers supports only RSA, the SSL Protocol Settings only need to support RSA. However, the SSL Protocol Settings for servers that support PFS should support PFS. Configure SSL Protocol Settings for the highest level of security that the target server you are protecting supports, but check performance to ensure that the firewall resources can handle the higher processing load that higher security protocols and algorithms require.
ssl-protocol-settings-best-practice-decryption-profile.png
Protocol Versions:
  • Set the Min Version to TLSv1.2 to provide the strongest security—business sites that value security support TLSv1.2. If a site (or a category of sites) only supports weaker ciphers, review the site and determine if it really houses a legitimate business application. If it does, make an exception for only that site by configuring a Decryption profile with a Min Version that matches the strongest cipher the site supports and then applying the profile to a Decryption policy rule that limits allowing the weak cipher to only the site or sites in question. If the site doesn’t house a legitimate business application, don’t weaken your security posture to support the site—weak protocols (and ciphers) contain known vulnerabilities that attackers can exploit. If the site belongs to a category of sites that you don’t need for business purposes, use URL Filtering to block access to the entire category. Don’t support weak encryption or authentication algorithms unless you must do so to support important legacy sites, and when you make exceptions, create a separate Decryption profile that allows the weaker protocol just for those sites. Don’t downgrade the main Decryption profile that you apply to most sites to TLSv1.1 just to accommodate a few exceptions.
    Decrypting TLS traffic forces browsers that use HTTP/2 to fall back to HTTP 1.1 because the firewall can’t decrypt HTTP/2 traffic. Allow browsers to fall back to HTTP 1.1 so you can decrypt this traffic and prevent potentially dangerous traffic from entering the network as encrypted traffic.
    Qualys SSL Labs SSL Pulse web page provides up-to-date statistics on the percentages of different ciphers and protocols in use on the 150,000 most popular sites in the world so you can see trends and understand how widespread worldwide support is for more secure ciphers and protocols.
  • Set the Max Version to Max rather than to a particular version so that as the protocols improve, the firewall automatically supports the newest and best protocols. Whether you intend to attach a Decryption profile to a Decryption policy rule that governs inbound (SSL Inbound Inspection) or outbound (SSL Forward Proxy) traffic, avoid allowing weak algorithms.
Key Exchange Algorithms: Leave all three boxes checked (default) to support both RSA and PFS (DHE and ECDHE) key exchanges.
Encryption Algorithms: When you set the protocol version to TLSv1.2, the older, weaker 3DES and RC4 algorithms are automatically unchecked (blocked). For any traffic for which you must allow a weaker TLS protocol, create a separate Decryption profile and apply it only to traffic for that site, and uncheck the 3DES and RC4 boxes. Do not allow traffic that uses the 3DES or RC4 algorithms. If unchecking the 3DES or RC4 boxes prevents you from accessing a site that you must use for business, create a separate Decryption profile for that site. Don’t weaken decryption for any other sites.
Authentication Algorithms: The older, weaker MD5 algorithm is automatically unchecked (blocked). Do not allow MD5 authenticated traffic on your network; SHA1 is the weakest authentication algorithm you should allow. If no necessary sites use SHA1, uncheck the box and block traffic to further reduce the attack surface.

Related Documentation