Enable Users to Opt Out of SSL Decryption
Allow users to choose whether they want to continue to
a site for which traffic is decrypted or opt out and allow the firewall
to terminate the session, preserving the user’s privacy but preventing
the connection to the site.
In privacy-sensitive situations, you may want to
alert your users that the firewall is decrypting certain web traffic
and allow them either to continue to the site with the understanding
that their traffic is decrypted or to terminate the session and
be block from going to the site. (There is no option to go to the
site and also avoid decryption.)
The first time a user attempts
to browse to an HTTPS site or application that matches the decryption
policy, the firewall displays a response page notifying users that
it will decrypt the session. Users can either click
Yes
to
allow decryption and continue to the site or click No
to
opt out of decryption and terminate the session. The choice to allow
decryption applies to all HTTPS sites that users try to access for
the next 24 hours, after which the firewall redisplays the response page.
Users who opt out of SSL decryption cannot access the requested
web page, or any other HTTPS site, for the next minute. After the
minute elapses, the firewall redisplays the response page the next
time the users attempt to access an HTTPS site.The firewall
includes a predefined SSL Decryption Opt-out Page that you can enable.
You can optionally customize the page with your own text and/or images.
However, the best practice is to not allow users to opt out of decryption.
Custom
response pages larger than the maximum supported size are not decrypted
or displayed to users. In PAN-OS 8.1.2 and earlier PAN-OS 8.1 releases,
custom response pages on a decrypted site cannot exceed 8,191 bytes;
the maximum size is increased to 17,999 bytes in PAN-OS 8.1.3 and
later releases.
- (Optional) Customize the SSL Decryption Opt-out Page.
- Select .
- Select theSSL Decryption Opt-out Pagelink.
- Select thePredefinedpage and clickExport.
- Using the HTML text editor of your choice, edit the page.
- If you want to add an image, host the image on a web server that is accessible from your end user systems.
- Add a line to the HTML to point to the image. For example:<img src="http://cdn.slidesharecdn.com/ Acme-logo-96x96.jpg?1382722588"/>
- Save the edited page with a new filename. Make sure that the page retains its UTF-8 encoding.
- Back on the firewall, select .
- Select theSSL Decryption Opt-out Pagelink.
- ClickImportand then enter the path and filename in theImport Filefield orBrowseto locate the file.
- (Optional) Select the virtual system on which this login page will be used from theDestinationdrop-down or select shared to make it available to all virtual systems.
- ClickOKto import the file.
- Select the response page you just imported and clickClose.
- Enable SSL Decryption Opt Out.
- On the page, click theDisabledlink.
- Select theEnable SSL Opt-out Pageand clickOK.
- Committhe changes.
- Verify that the Opt Out page displays when you attempt to browse to a site.From a browser, go to an encrypted site that matches your decryption policy.Verify that the SSL Decryption Opt-out response page displays.
