https://live.paloaltonetworks.com/t5/next-generation-firewall/no-ssl-decyrption-with-content-inspection-enabled/m-p/554173#M1746 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/275570">@manninegi1985</a> ,</P> <P>&nbsp;</P> <P><STRONG>In my opinion, your AV, VP, and FB profiles will only work on around 10% of your traffic without SSL decryption.</STRONG>&nbsp; The 2 biggest attack vectors in companies are web and email.&nbsp; Almost all email traffic and 90% of web traffic is encrypted.&nbsp; If you want the security features (that you pay for) to be applied to all traffic, then you should enable decryption.</P> <P>&nbsp;</P> <P>Decryption can break a small number of sites.&nbsp; Be prepared to make exceptions.&nbsp; The Day 1 Configuration has an excellent example of a no-decrypt policy.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TomYoung_1-1692275581644.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/52886i6563C795EA194F60/image-size/medium?v=v2&amp;px=400" role="button" title="TomYoung_1-1692275581644.png" alt="TomYoung_1-1692275581644.png" /></span></P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/best-practices/9-1/decryption-best-practices" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/best-practices/9-1/decryption-best-practices</A></P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Fri, 18 Aug 2023 02:41:18 GMT TomYoung 2023-08-18T02:41:18Z https://live.paloaltonetworks.com/t5/next-generation-firewall/no-ssl-decyrption-with-content-inspection-enabled/m-p/554154#M1744 <P>Hi All,</P> <P>&nbsp;</P> <P>I have enabled the content inspection features like URL filtering\Antivirus\Wildfire analysis etc.</P> <P>However SSL decryption is not enabled.</P> <P>&nbsp;</P> <P>Could someone please let me know that content inspection features really worth if SSL decryption is not enabled.</P> Thu, 17 Aug 2023 10:07:30 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/no-ssl-decyrption-with-content-inspection-enabled/m-p/554154#M1744 manninegi1985 2023-08-17T10:07:30Z https://live.paloaltonetworks.com/t5/next-generation-firewall/no-ssl-decyrption-with-content-inspection-enabled/m-p/554169#M1745 <P>Hello Mannienegi1985,</P> <P>&nbsp;</P> <P>You can check this <A href="https://live.paloaltonetworks.com/t5/pancast/pancast-episode-9-should-you-have-ssl-decryption-enabled/ta-p/526755" target="_self">PANCast Episode about SSL Decryption</A></P> <P>&nbsp;</P> <P>To be simple : it will be best effort.</P> <P>&nbsp;</P> <P>Olivier</P> Thu, 17 Aug 2023 12:23:20 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/no-ssl-decyrption-with-content-inspection-enabled/m-p/554169#M1745 ozheng 2023-08-17T12:23:20Z https://live.paloaltonetworks.com/t5/next-generation-firewall/no-ssl-decyrption-with-content-inspection-enabled/m-p/554173#M1746 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/275570">@manninegi1985</a> ,</P> <P>&nbsp;</P> <P><STRONG>In my opinion, your AV, VP, and FB profiles will only work on around 10% of your traffic without SSL decryption.</STRONG>&nbsp; The 2 biggest attack vectors in companies are web and email.&nbsp; Almost all email traffic and 90% of web traffic is encrypted.&nbsp; If you want the security features (that you pay for) to be applied to all traffic, then you should enable decryption.</P> <P>&nbsp;</P> <P>Decryption can break a small number of sites.&nbsp; Be prepared to make exceptions.&nbsp; The Day 1 Configuration has an excellent example of a no-decrypt policy.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TomYoung_1-1692275581644.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/52886i6563C795EA194F60/image-size/medium?v=v2&amp;px=400" role="button" title="TomYoung_1-1692275581644.png" alt="TomYoung_1-1692275581644.png" /></span></P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/best-practices/9-1/decryption-best-practices" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/best-practices/9-1/decryption-best-practices</A></P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Fri, 18 Aug 2023 02:41:18 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/no-ssl-decyrption-with-content-inspection-enabled/m-p/554173#M1746 TomYoung 2023-08-18T02:41:18Z