Enable Users to Opt Out of SSL Decryption
Allow users to choose whether they want to continue to a site for which traffic is decrypted or opt out and allow the firewall to terminate the session, preserving the user’s privacy but preventing the connection to the site.
In privacy-sensitive situations, you may want to alert your users that the firewall is decrypting certain web traffic and allow them either to continue to the site with the understanding that their traffic is decrypted or to terminate the session and be block from going to the site. (There is no option to go to the site and also avoid decryption.)
The first time a user attempts to browse to an HTTPS site or application that matches the decryption policy, the firewall displays a response page notifying users that it will decrypt the session. Users can either click Yes to allow decryption and continue to the site or click No to opt out of decryption and terminate the session. The choice to allow decryption applies to all HTTPS sites that users try to access for the next 24 hours, after which the firewall redisplays the response page. Users who opt out of SSL decryption cannot access the requested web page, or any other HTTPS site, for the next minute. After the minute elapses, the firewall redisplays the response page the next time the users attempt to access an HTTPS site.
The firewall includes a predefined SSL Decryption Opt-out Page that you can enable. You can optionally customize the page with your own text and/or images. However, the best practice is not to allow users to opt out of decryption if you don’t have to.
Custom response pages larger than the maximum supported size are not decrypted or displayed to users. In PAN-OS 8.0.11 and earlier releases, custom response pages on a decrypted site cannot exceed 8,191 bytes; the maximum size is increased to 17,999 bytes in PAN-OS 8.0.12 and later PAN-OS 8.0 releases.
- (Optional) Customize the SSL Decryption
- Select DeviceResponse Pages.
- Select the SSL Decryption Opt-out Page link.
- Select the Predefined page and click Export.
- Using the HTML text editor of your choice, edit the page.
- If you want to add an image, host the image on a web server that is accessible from your end user systems.
- Add a line to the HTML to point to the image. For example:
<img src="http://cdn.slidesharecdn.com/ Acme-logo-96x96.jpg?1382722588"/>
- Save the edited page with a new filename. Make sure that the page retains its UTF-8 encoding.
- Back on the firewall, select DeviceResponse Pages.
- Select the SSL Decryption Opt-out Page link.
- Click Import and then enter the path and filename in the Import File field or Browse to locate the file.
- (Optional) Select the virtual system on which this login page will be used from the Destination drop-down or select shared to make it available to all virtual systems.
- Click OK to import the file.
- Select the response page you just imported and click Close.
- Enable SSL Decryption Opt Out.
- On the DeviceResponse Pages page, click the Disabled link.
- Select the Enable SSL Opt-out Page and click OK.
- Commit the changes.
- Verify that the Opt Out page displays when you attempt
to browse to a site.From a browser, go to an encrypted site that matches your decryption policy.Verify that the SSL Decryption Opt-out response page displays.
Device > Response Pages
Device > Response Pages Custom response pages are the web pages that display when a user tries to access a URL. You can provide a ...
Plan a Staged, Prioritized Deployment
Deploying decryption can change the reachability of websites that users may be used to accessing if those sites are risky or don’t support your business. ...
Configure SSH Proxy
SSH Proxy decryption requires no certificates and decrypts inbound and outbound SSH sessions and ensures that attackers can’t use SSH to tunnel potentially malicious applications ...
Create a Decryption Policy Rule
Decryption policy rules granularly define the traffic to decrypt or not to decrypt based on the source, destination, service (application port), and URL Category. ...
Configure SSL Inbound Inspection
SSL Inbound Inspection decryption enables the firewall to see potential threats in inbound encrypted traffic destined for your servers and apply security protections against those ...
Configure Server Certificate Verification for Undecrypted T...
Even though the traffic is encrypted, you can protect your network against sessions with expired certificates and untrusted issuers for traffic you choose not ...
You can’t protect yourself against threats you can’t see. Decrypt traffic to reveal encrypted threats so the firewall can protect your network against them. ...
SSL Forward Proxy
SSL Forward Proxy decryption decrypts outbound traffic so the firewall can protect against threats in the encrypted traffic by proxying the connection between the client ...
Customize the URL Filtering Response Pages
Customize the URL Filtering Response Pages The firewall provides predefined URL Filtering Response Pages that display by default when a user: A user attempts to ...