https://live.paloaltonetworks.com/t5/general-topics/how-to-work-decryption-policy/m-p/1316#M1015 <HTML><HEAD></HEAD><BODY><P><STRONG>Hi.. all,</STRONG></P><P></P><P><STRONG>how are you today ? any one please describe about decryption policy and how log bits (0-2048) support? <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /> <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /> :smileyinfo:</STRONG></P><P></P><P></P><P><STRONG>Thanks </STRONG></P><P><STRONG>Satish </STRONG></P></BODY></HTML> Mon, 19 May 2014 04:23:52 GMT Satish 2014-05-19T04:23:52Z https://live.paloaltonetworks.com/t5/general-topics/how-to-work-decryption-policy/m-p/1316#M1015 <HTML><HEAD></HEAD><BODY><P><STRONG>Hi.. all,</STRONG></P><P></P><P><STRONG>how are you today ? any one please describe about decryption policy and how log bits (0-2048) support? <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /> <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /> :smileyinfo:</STRONG></P><P></P><P></P><P><STRONG>Thanks </STRONG></P><P><STRONG>Satish </STRONG></P></BODY></HTML> Mon, 19 May 2014 04:23:52 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-work-decryption-policy/m-p/1316#M1015 Satish 2014-05-19T04:23:52Z https://live.paloaltonetworks.com/t5/general-topics/how-to-work-decryption-policy/m-p/1317#M1016 <HTML><HEAD></HEAD><BODY><P>The basic overview for ssl decryption is doc-2008.</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-2008">Controlling SSL Decryption</A></P><P></P><P>PA does support 2048 bit certs.</P></BODY></HTML> Mon, 19 May 2014 16:19:00 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-work-decryption-policy/m-p/1317#M1016 pulukas 2014-05-19T16:19:00Z https://live.paloaltonetworks.com/t5/general-topics/how-to-work-decryption-policy/m-p/1318#M1017 <HTML><HEAD></HEAD><BODY><P>Dear Steven,</P><P></P><P>Thnx for you reply.</P></BODY></HTML> Mon, 19 May 2014 18:09:34 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-work-decryption-policy/m-p/1318#M1017 Satish 2014-05-19T18:09:34Z https://live.paloaltonetworks.com/t5/general-topics/how-to-work-decryption-policy/m-p/1319#M1018 <HTML><HEAD></HEAD><BODY><P>Following doc explains on different Decryption Certs</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-2006">SSL Decryption Certificates</A></P><P>Hope this helps.</P><P>Thanks</P><P>Numan</P></BODY></HTML> Tue, 20 May 2014 13:48:42 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-work-decryption-policy/m-p/1319#M1018 mbutt 2014-05-20T13:48:42Z https://live.paloaltonetworks.com/t5/general-topics/how-to-work-decryption-policy/m-p/1320#M1019 <HTML><HEAD></HEAD><BODY><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Dear Steven,</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">I have a question after have read your comment.</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">We use a self-generated certificate with 2048 bits from FW for ssl outbound decryption.</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">But we always see 1024 bits certificate when connecting to facebook.</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">2048 bits certificate can be generated by FW-self, but can not use to decryption. because FW does not support. Right?</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Thanks and Regards,</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">KC Lee<BR /></SPAN></P></BODY></HTML> Mon, 22 Sep 2014 17:40:27 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-work-decryption-policy/m-p/1320#M1019 KiCheon.Lee 2014-09-22T17:40:27Z https://live.paloaltonetworks.com/t5/general-topics/how-to-work-decryption-policy/m-p/1321#M1020 <HTML><HEAD></HEAD><BODY><P>Hi KC Lee,</P><P></P><P>For outbound SSL decryption, 1024 bit key is used between PA and clients connection regardless of the key length of PA generated CA certificate, or key length of real server presents. This is by design. Hope that helps. Thank you.</P></BODY></HTML> Mon, 22 Sep 2014 19:30:01 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-work-decryption-policy/m-p/1321#M1020 ssharma 2014-09-22T19:30:01Z https://live.paloaltonetworks.com/t5/general-topics/how-to-work-decryption-policy/m-p/1322#M1021 <HTML><HEAD></HEAD><BODY><P>Hi Satish,</P><P></P><P>Decryption is firewall acting as man in the middle. Firewall will intercept ssl connection from end clients to server, send a response back to client appearing as server with certificates and start a new connection from firewall's external interface to the server to get requested data.&nbsp; That way we have 2 portion of connection one that originates at clients and ends at the firewall's internal interface and other that originates at external interface and ends at the server.</P><P></P><P>Firewall will manage these 2 communication for each ssl communication.</P><P></P><P>For outbound SSL decryption, 1024 bit key is used between PA and clients connection regardless of the key length of PA generated CA certificate, or key length of real server presents. This is by design. Hope that helps. Thank you.</P></BODY></HTML> Mon, 22 Sep 2014 19:33:26 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-work-decryption-policy/m-p/1322#M1021 ssharma 2014-09-22T19:33:26Z https://live.paloaltonetworks.com/t5/general-topics/how-to-work-decryption-policy/m-p/1323#M1022 <HTML><HEAD></HEAD><BODY><P>Hi ssharma,</P><P></P><P>Thank your very much for your answer.</P><P>It helps me so clear.</P><P></P><P>Thanks,</P><P>KC Lee</P></BODY></HTML> Tue, 23 Sep 2014 02:49:35 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-work-decryption-policy/m-p/1323#M1022 KiCheon.Lee 2014-09-23T02:49:35Z