Strata Cloud Manager
Manage: Decryption
Table of Contents
Manage: Decryption
How to use Strata Cloud Manager to configure and manage decryption for NGFWs and
Prisma Access.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
Each of these licenses include access to Strata Cloud Manager:
→ The features and capabilities available to you in Strata Cloud Manager depend on which license(s) you are
using.
|
Enable Decryption to stop threats hidden in encrypted traffic. All you need
to do to get started is import your decryption certificates — for everything else,
we've built in best practices settings that you can use to get up and running.
Learn more about decrypting traffic here.
Go to .
Decryption Overview
The Secure Sockets Layer (SSL) and Secure Shell (SSH) encryption protocols secure
traffic between two entities, such as a web server and a client. SSL and SSH
encapsulate traffic, encrypting data so that it is meaningless to entities other
than the client and server with the certificates to affirm trust between the devices
and the keys to decode the data. Decrypt SSL and SSH traffic to:
- Prevent malware concealed as encrypted traffic from being introduced into your network. For example, an attacker compromises a website that uses SSL encryption. Employees visit that website and unknowingly download an exploit or malware. The malware then uses the infected employee endpoint to move laterally through the network and compromise other systems.
- Prevent sensitive information from moving outside the network.
- Ensure the appropriate applications are running on a secure network.
- Selectively decrypt traffic; for example, create a Decryption policy and profile to exclude traffic for financial or healthcare sites from decryption.
SSH Proxy decryption is not supported in Strata Cloud Manager.
Decryption Policies
Strata Cloud Manager provides two types of Decryption policy rules: SSL Forward
Proxy to control outbound SSL traffic and SSL Inbound Inspection to control inbound
SSL traffic.
SSL Forward Proxy
When you configure the firewall to decrypt SSL traffic going to external sites, it
functions as an SSL forward proxy. Use an SSL Forward Proxy decryption policy to
decrypt and inspect SSL/TLS traffic from internal users to the web. SSL Forward
Proxy decryption prevents malware concealed as SSL encrypted traffic from being
introduced into your corporate network by decrypting the traffic so that the
firewall can apply decryption profiles and security policies and profiles to the
traffic.
SSL Inbound Inspection
Use SSL Inbound Inspection to decrypt and inspect inbound SSL/TLS traffic from a
client to a targeted network server (any server you have the certificate for and can
import onto the firewall) and block suspicious sessions. For example, suppose a
malicious actor wants to exploit a known vulnerability in your web server. Inbound
SSL/TLS decryption provides visibility into the traffic, allowing the firewall to
respond to the threat proactively.
Decryption Profiles
You can attach a Decryption profile to a policy rule to apply granular access
settings to traffic, such as checks for server certificates, unsupported modes, and
failures.
SSL Forward Proxy Profiles
The SSL Forward Proxy Decryption profile controls the server verification, session
mode checks, and failure checks for outbound SSL/TLS traffic defined in Forward
Proxy Decryption policies to which you attach the profile.
SSL Inbound Inspection Profiles
The SSL Inbound Inspection Decryption profile controls the session mode checks and
failure checks for inbound SSL/TLS traffic defined in the Inbound Inspection
Decryption policies to which you attach the profile.
Profile for No Decryption
No Decryption profiles perform server verification checks for traffic that you choose
not to decrypt. You attach a No Decryption profile to a “No Decryption” Decryption
policy that defines the traffic to exclude from decryption. (Don’t use policy to
exclude traffic that you can’t decrypt because a site breaks decryption for
technical reasons such as a pinned certificate or mutual authentication. Instead,
add the hostname to the Decryption Exclusion List.)
Decryption Tips
- Use the best practice policy rules as a starting point to build your decryption policyThese rules—one that decrypts traffic and one that excludes sensitive content from decryption—are built based on URL categories.
- Exclude sensitive content from decryptionExclude sensitive content from decryption for business, legal, or regulatory reasons.
- Predefined Decryption Exclusions—Palo Alto Networks maintains this list of exclusions and updates it regularly. This list applied globally and by default to all traffic you specify for decryption. You can disable list entries if that fits with your business needs.
- Custom Exclusions—Globally exclude sites or applications from decryption.
- Policy-based exclusions—Use URL categories and external dynamic lists to create targeted, policy-based decryption rules. Set a decryption policy rule action to no-decrypt to exclude matching traffic from decryption.
Always place decryption exclusions at the top of your policy rules, so that they are applied first. - Consider that you can apply some decryption settings globally, and target others to specific locations
- Your Strata Cloud Manager decryption policy is applied globally to all NGFWs and Prisma Access locations.
- Navigate to the decryption policy for each type to create policy rules that are targeted to specific firewalls, mobile user locations, remote network sites, or service connections
- Rule order mattersDecryption policy rules are applied from the top down. Place the rules you want enforced first at the top of your list of decryption policy rules. Global rules (pre-rules) are applied first and are always listed ahead of rules that are specific to mobile users, remote networks, and service connections.
Decryption at a Glance
The Decryption screen is the place to configure Decryption Policies and Profiles and
view your Best Practice Assessments.
![]()
A) Rulebase—Rulebase checks look at how security policy is organized and
managed, including configuration settings that apply across many rules.
B) Best Practices—Here you can get a comprehensive view into how your
implementation of feature aligns with best practices. Examine failed checks to see
where you can make improvements (you can also review passed checks).
C) Best Practice Assessment—Best practice scores are displayed on the
decryption dashboard. These scores gives you a quick view into your best practice
progress. At a glance, you can identify areas for further investigation or where you
want to take action to improve your security posture.
D) Decryption Policies—List of onboarded decryption policies. Review
the policy configuration, policy type (SSL Forward Proxy, SSL Inbound
Inspection, or SSH Proxy), policy action (decrypt or
no-decrypt), and BPA Verdict.
E) Add Rule—Add and configure new decryption policies.
F) Decryption Settings—Access certificate and decryption settings.
Import and export certificates.
G) Add Profile—Add and configure new decryption profiles.
H) Global Decryption Exclusions—Applications excluded from
decryption.
I) Decryption Profiles—List of onboarded decryption profiles. Review
the profile configuration, policies using the profile, and the BPA Verdict.