Settings to Control Decrypted SSL Traffic

The following table describes the settings you can use to control SSL traffic that has been decrypted using either SSL Forward Proxy decryption or SSL Inbound Inspection. You can use these settings to limit or block SSL sessions based on criteria including the status of the external server certificate, the use of unsupported cipher suites or protocol versions, or the availability of system resources to process decryption.
SSL Decryption Tab Settings
Description
SSL Forward Proxy Tab—Select options to limit or block SSL traffic decrypted using SSL Forward Proxy.
Server Certificate Validation—Select options to control server certificates for decrypted SSL traffic.
Block sessions with expired certificates
Terminate the SSL connection if the server certificate is expired. This will prevent a user from being able to accept an expired certificate and continuing with an SSL session.
Block sessions with untrusted issuers
Terminate the SSL session if the server certificate issuer is untrusted.
Block sessions with unknown certificate status
Terminate the SSL session if a server returns a certificate revocation status of “unknown”. Certificate revocation status indicates if trust for the certificate has been or has not been revoked.
Block sessions on the certificate status check timeout
Terminate the SSL session if the certificate status cannot be retrieved within the amount of time that the firewall is configured to stop waiting for a response from a certificate status service. You can configure Certificate Status Timeout value when creating or modifying a certificate profile (DeviceCertificate ManagementCertificate Profile).
Restrict certificate extensions
Limits the certificate extensions used in the dynamic server certificate to key usage and extended key usage.
Unsupported Mode Checks—Select options to control unsupported SSL applications.
Block sessions with unsupported version
Terminate sessions if PAN-OS does not support the “client hello” message. PAN-OS supports SSLv3, TLS1.0, TLS1.1, and TLS1.2.
Block sessions with unsupported cipher suites
Terminate the session if the cipher suite specified in the SSL handshake if it is not supported by PAN-OS.
Block sessions with client authentication
Terminate sessions with client authentication for SSL forward proxy traffic.
Failure Checks—Select the action to take if system resources are not available to process decryption.
Block sessions if resources not available
Terminate sessions if system resources are not available to process decryption.
Block sessions if HSM not available
Terminate sessions if a hardware security module (HSM) is not available to sign certificates.
For unsupported modes and failure modes, the session information is cached for 12 hours, so future sessions between the same hosts and server pair are not decrypted. Enable the options to block those sessions instead.
SSL Inbound Inspection Tab—Select options to limit or block SSL traffic decrypted using SSL Inbound Inspection.
Unsupported Mode Checks—Select options to control sessions if unsupported modes are detected in SSL traffic.
Block sessions with unsupported versions
Terminate sessions if PAN-OS does not support the “client hello” message. PAN-OS supports SSLv3, TLS1.0, TLS1.1, and TLS1.2.
Block sessions with unsupported cipher suites
Terminate the session if the cipher suite used is not supported by PAN-OS.
Failure Checks—Select the action to take if system resources are not available.
Block sessions if resources not available
Terminate sessions if system resources are not available to process decryption.
Block sessions if HSM not available
Terminate sessions if a hardware security module (HSM) is not available to decrypt the session key.
SSL Protocol Settings Tab—Select the following settings to enforce protocol versions and cipher suites for SSL session traffic.
Protocol Versions
Enforce the use of minimum and maximum protocol versions for the SSL session.
Min Version
Set the minimum protocol version that can be used to establish the SSL connection.
Max Version
Set the maximum protocol version that can be used to establish the SSL connection. You can choose the option Max so that no maximum version is specified; in this case, protocol versions that are equivalent to or are a later version than the selected minimum version are supported.
Key Exchange Algorithms
Enforce the use of the selected key exchange algorithms for the SSL session.
To implement Perfect Forward Secrecy (PFS) for SSL Forward Proxy or Inbound Inspection decryption, select DHE (Diffie-Hellman) or ECDHE (elliptic curve Diffie-Hellman) as the key exchange algorithm.
If you enable PFS, you cannot use a hardware security module (HSM) to store the private keys used for SSL Inbound Inspection.
Encryption Algorithms
Enforce the use of the selected encryption algorithms for the SSL session.
Authentication Algorithms
Enforce the use of the selected authentication algorithms for the SSL session.

Related Documentation