End-of-Life (EoL)
Settings to Control Decrypted SSL Traffic
The following table describes the settings you can use
to control SSL traffic that has been decrypted using either SSL Forward
Proxy decryption or SSL Inbound Inspection. You can use these settings
to limit or block SSL sessions based on criteria including the status
of the external server certificate, the use of unsupported cipher
suites or protocol versions, or the availability of system resources
to process decryption.
SSL Decryption Tab
Settings | Description |
|---|---|
SSL Forward Proxy Tab—Select
options to limit or block SSL traffic decrypted using SSL Forward
Proxy. | |
Server Certificate Validation —Select
options to control server certificates for decrypted SSL traffic. | |
Block sessions with expired certificates | Terminate the SSL connection if the server
certificate is expired. This prevents users from accepting expired
certificates and continuing with an SSL session. Block sessions with expired certificates
to prevent access to potentially insecure sites. |
Block sessions with untrusted issuers | Terminate the SSL session if the server
certificate issuer is untrusted. Block
sessions with untrusted issuers because an untrusted issuer may
indicate a man-in-the-middle attack, a replay attack, or another attack. |
Block sessions with unknown certificate
status | Terminate the SSL session if a server returns
a certificate revocation status of “unknown”. Certificate revocation
status indicates if trust for the certificate has been or has not
been revoked. Block sessions with unknown
certificate status for the tightest security. However, because certificate
status may be unknown for a variety of reasons, this may tighten
security too much. If blocking unknown certificate status affects
sites you need to use for business, don’t block sessions with unknown
certificate status. |
Block sessions on the certificate status
check timeout | Terminate the SSL session if the certificate
status cannot be retrieved within the amount of time that the firewall
is configured to stop waiting for a response from a certificate
status service. You can configure Certificate Status Timeout value
when creating or modifying a certificate profile (Device Certificate Management Certificate Profile Blocking
sessions when the status check times out is a tradeoff between tighter security
and a better user experience. If certificate revocation servers
respond slowly, blocking on a timeout may block sites that have
valid certificates. You can increase the timeout value for Certificate
Revocation Checking (CRL) and Online Certificate Status Protocol
(OCSP) if you are concerned about timing out valid certificates. |
Restrict certificate extensions | Limits the certificate extensions used in
the dynamic server certificate to key usage and extended key usage. Restrict certificate extensions if your
deployment requires no other certificate extensions. |
Append certificate's CN value to SAN extension | Enable the firewall to add a Subject Alternative
Name (SAN) extension to the impersonation certificate it presents
to clients as part of SSL Forward Proxy decryption. When a server
certificate contains only a Common Name (CN), the firewall adds
a SAN extension to the impersonation certificate based on the server
certificate CN. Append the certificate’s CN value
to the SAN extension to help ensure access to requested web resources. |
Unsupported Mode Checks —Select
options to control unsupported SSL applications. | |
Block sessions with unsupported versions | Terminate sessions if PAN-OS does not support
the “client hello” message. PAN-OS supports SSLv3, TLS1.0, TLS1.1,
and TLS1.2. Always block sessions
with unsupported versions to prevent access to sites with weak protocols.
On the SSL Protocol Settings tab, set the
minimum Protocol Version to TLSv1.2 to block sites with weak protocol
versions. If a site you need to access for business purposes uses
a weaker protocol, create a separate Decryption profile that allows
the weaker protocol and specify it in a Decryption policy rule that
applies only to the sites for which you must allow the weaker protocol. |
Block sessions with unsupported cipher suites | Terminate the session if the cipher suite
specified in the SSL handshake if it is not supported by PAN-OS. Block sessions that use cipher suites you
don’t support. You configure which cipher suites (encryption algorithms)
to allow on the SSL Protocol Settings tab.
Don’t allow users to connect to sites with weak cipher suites. |
Block sessions with client authentication | Terminate sessions with client authentication
for SSL forward proxy traffic. Block
sessions with client authentication unless an important application
requires it, in which case you should create a separate Decryption
profile and apply it only to traffic that requires client authentication. |
Failure Checks —Select
the action to take if system resources are not available to process
decryption. | |
Block sessions if resources not available | Terminate sessions if system resources are
not available to process decryption. Whether to block sessions
when resources aren’t available is a tradeoff between tighter security
and a better user experience. If you don’t block sessions when resources aren’t
available, the firewall won’t be able to decrypt traffic that you
want to decrypt when resources are impacted. However, blocking sessions
when resources aren’t available may affect the user experience because
sites that are normally reachable may become temporarily unreachable. |
Block sessions if HSM not available | Terminate sessions if a hardware security
module (HSM) is not available to sign certificates. Whether
to block sessions if the HSM isn’t available depends on your compliance
rules about where private keys must come from and how you want to
handle encrypted traffic if the HSM isn’t available. |
For unsupported modes
and failure modes, the session information is cached for 12 hours,
so future sessions between the same hosts and server pair are not
decrypted. Enable the options to block those sessions instead. | |
SSL Inbound Inspection Tab—Select
options to limit or block SSL traffic decrypted using SSL Inbound
Inspection. | |
Unsupported Mode Checks —Select
options to control sessions if unsupported modes are detected in
SSL traffic. | |
Block sessions with unsupported versions | Terminate sessions if PAN-OS does not support
the “client hello” message. PAN-OS supports SSLv3, TLS1.0, TLS1.1,
and TLS1.2. Always block sessions
with unsupported versions to prevent access to sites with weak protocols.
On the SSL Protocol Settings tab, set the
minimum Protocol Version to TLSv1.2 to block sites with weak protocol
versions. If a site you need to access for business purposes uses
a weaker protocol, create a separate Decryption profile that allows
the weaker protocol and specify it in a Decryption policy rule that
applies only to the sites for which you must allow the weaker protocol. |
Block sessions with unsupported cipher suites | Terminate the session if the cipher suite
used is not supported by PAN-OS. Block
sessions that use cipher suites you don’t support. You configure
which cipher suites (encryption algorithms) to allow on the SSL Protocol
Settings tab. Don’t allow users to connect to sites
with weak cipher suites. |
Failure Checks —Select
the action to take if system resources are not available. | |
Block sessions if resources not available | Terminate sessions if system resources are
not available to process decryption. Whether to block sessions
when resources aren’t available is a tradeoff between tighter security
and a better user experience. If you don’t block sessions when resources aren’t
available, the firewall won’t be able to decrypt traffic that you
want to decrypt when resources are impacted. However, blocking sessions
when resources aren’t available may affect the user experience because
sites that are normally reachable may become temporarily unreachable. |
Block sessions if HSM not available | Terminate sessions if a hardware security
module (HSM) is not available to decrypt the session key. Whether
to block sessions if the HSM isn’t available depends on your compliance
rules about where private keys must come from and how you want to
handle encrypted traffic if the HSM isn’t available. |
SSL Protocol Settings Tab—Select
the following settings to enforce protocol versions and cipher suites
for SSL session traffic. | |
Protocol Versions | Enforce the use of minimum and maximum protocol
versions for the SSL session. |
Min Version | Set the minimum protocol version that can
be used to establish the SSL connection. Set
the Min Version to TLSv1.2 to provide the strongest security. Review
sites that don’t support TLSv1.2 to see if they really have a legitimate
business purpose. For sites you need to access that don’t support
TLSv1.2, create a separate Decryption profile that specifies the
strongest protocol version they support and apply it to a Decryption
policy rule that limits the use of the weak version to only the
necessary sites, from only the necessary sources (zones, addresses,
users). |
Max Version | Set the maximum protocol version that can
be used to establish the SSL connection. You can choose the option
Max so that no maximum version is specified; in this case, protocol
versions that are equivalent to or are a later version than the
selected minimum version are supported. Set
the Max Version to Max so that as protocols
improve, the firewall automatically supports them. |
Key Exchange Algorithms | Enforce the use of the selected key exchange
algorithms for the SSL session. All three algorithms ( RSA , DHE , and ECDHE )
are enabled by default. The DHE (Diffie-Hellman)
and ECDHE (elliptic curve Diffie-Hellman)
enable Perfect Forward Secrecy (PFS) for
SSL Forward Proxy or Inbound Inspection decryption. |
Encryption Algorithms | Enforce the use of the selected encryption
algorithms for the SSL session. Don’t
support the weak 3DES or RC4 encryption
algorithms. (The firewall automatically blocks these two algorithms
when you use TLSv1.2 as the minimum protocol version.) If you have
to make an exception and support a weaker protocol version, uncheck 3DES and RC4 in
the Decryption profile. If there are sites you must access for business
purposes that use 3DES or RC4 encryption
algorithms, create a separate Decryption profile and apply it to
a Decryption policy rule for just those sites. |
Authentication Algorithms | Enforce the use of the selected authentication
algorithms for the SSL session. Block
the old, weak MD5 algorithm (blocked by default). If no necessary
sites use SHA1 authentication, block SHA1. If any sites you require
for business purposes use SHA1, create a separate Decryption profile
and apply it to a Decryption policy rule for just those sites. |
Recommended For You
Recommended Videos
Recommended videos not found.
