Create a Decryption Policy Rule
Decryption policy rules granularly define the traffic to decrypt or not to decrypt based on the source, destination, service (application port), and URL Category.
- Add a new decryption policy rule.Select,PoliciesDecryptionAdda new decryption policy rule, and give the policy rule a descriptiveName.
- Configure the decryption rule to match to traffic based on network and policy objects:
The application-default setting can be useful when you Create a Policy-Based Decryption Exclusion. You can exclude applications running on their default ports from decryption, while continuing to decrypt the same applications when they are detected on non-standard ports.
- Firewall security zones—SelectSourceand/orDestinationand match to traffic based on theSource Zoneand/or theDestination Zone.
- IP addresses, address objects, and/or address groups—SelectSourceand/orDestinationto match to traffic based onSource Addressand/or theDestination Address. Alternatively, selectNegateto exclude the source address list from decryption.
- Users—SelectSourceand set theSource Userfor whom to decrypt traffic. You can decrypt specific user or group traffic, or decrypt traffic for certain types of users, such as unknown users or pre-logon users (users that are connected to GlobalProtect but are not yet logged in).
- Ports and protocols—SelectService/URL Categoryto set the rule to match to traffic based on service. By default, the policy rule is set to decryptAnytraffic on TCP and UDP ports. You canAdda service or a service group, and optionally set the rule toapplication-defaultto match to applications only on the application default ports.
- URLs and URL categories—Select Service/URL Category and decrypt traffic based on:
- An externally-hosted list of URLs that the firewall retrieves for policy-enforcement (see).ObjectsExternal Dynamic Lists
- Palo Alto Networks predefined URL categories, which make it easy to decrypt entire categories of allowed traffic. This option is also useful when you create policy-based decryption exclusions because you can exclude sensitive sites by category instead of individually. For example, although you can create a custom URL category to group sites that you do not want to decrypt, you can also exclude financial or healthcare-related sites from decryption based on the predefined Palo Alto Networks URL categories. In addition, you can block risky URL Categories and create comfort pages to communicate the reason the sites are blocked or Enable Users to Opt Out of SSL Decryption.You can use the predefined high-risk and medium-risk URL categories to create a Decryption policy rule that decrypts all high-risk and medium-risk URL traffic. Place the rule at the bottom of the rulebase (all decryption exceptions must be above this rule so that you don’t decrypt sensitive information) as a safety net to ensure that you decrypt and inspect all risky traffic. However, if high-risk or medium-risk sites to which you allow access contain personally identifiable information (PII) or other sensitive information that you don’t want to decrypt, either block those sites to avoid allowing encrypted risky traffic while also avoiding privacy issues, or create a No Decryption rule to handle the sensitive traffic.
- Custom URL categories (see). For example, you can create a custom URL Category to specify a group of sites you need to access for business purposes but that don’t support the safest protocols and algorithms, and then apply a customized Decryption profile to allow the looser protocols and algorithms for just those sites (that way, you don’t decrease security by downgrading the Decryption profile you use for most sites).ObjectsCustom ObjectsURL Category
- Set the rule to either decrypt matching traffic or to exclude matching traffic from decryption.SelectOptionsand set the policy ruleAction:To decrypt matching traffic:To exclude matching traffic from decryption:Set theActiontoNo Decrypt.
- (Optional) Select aDecryption Profileto perform additional checks on traffic that matches the policy rule.Although applying a Decryption profile to decrypted traffic is optional, it is a best practice to always apply a Decryption profile to the policy rules to protect your network against encrypted threats. You can’t protect yourself against threats you can’t see.For example, attach a decryption profile to a policy rule to ensure that server certificates are valid and to block sessions using unsupported protocols or ciphers. To Create a Decryption Profile, select.ObjectsDecryption Profile
- Create a decryption policy rule or open an existing rule to modify it.
- SelectOptionsand select aDecryption Profileto block and control various aspects of the traffic matched to the rule.The profile rule settings the firewall applies to matching traffic depends on the policy ruleAction(Decrypt or No Decrypt) and the policy ruleType(SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy). This allows you to use the different decryption profiles with different types of decryption policy rules that apply to different types of traffic and users.
- ClickOKto save the policy.
- Choose your next step to fully enable the firewall to decrypt traffic...
- Create policy-based Decryption Exclusions for traffic youchoosenot to decrypt and add sites that break decryption for technical reasons such as pinned certificates or mutual authentication to the SSL Decryption Exclusion list.
Create a Decryption Profile
Attach Decryption profiles to Decryption policy rules to control the protocol versions, algorithms, verification checks, and session checks the firewall accepts for the traffic defined ...
Decryption Overview The Secure Sockets Layer (SSL) and Secure Shell (SSH) encryption protocols secure traffic between two entities, such as a web server and a ...
Learn about outbound and inbound SSL decryption, SSH Proxy decryption, Decryption Mirroring, and the keys and certificates that make decryption possible. ...
You can’t protect yourself against threats you can’t see. Decrypt traffic to reveal encrypted threats so the firewall can protect your network against them. ...
Policies > Decryption
Policies > Decryption You can configure the firewall to decrypt traffic for visibility, control, and granular security. Decryption policies can apply to Secure Sockets Layer ...
Create the Data Center Best Practice Decryption Profiles
Decryption Profiles define the SSL Protocol settings the firewall accepts so you can protect against vulnerable, weak protocols and algorithms. ...
Configure SSH Proxy
SSH Proxy decryption requires no certificates and decrypts inbound and outbound SSH sessions and ensures that attackers can’t use SSH to tunnel potentially malicious applications ...
Exclude a Server from Decryption
You can add applications that break decryption for technical reasons and aren’t already on the SSL Decryption Exclusion list such as internal custom applications to ...
Deploy SSL Decryption Using Best Practices
Following SSL Decryption deployment best practices help to ensure a smooth, prioritized rollout and that you decrypt the traffic you need to decrypt to safeguard ...