topic Re: no decryption policy set, wan to wan traffic decrypt is yes in General Topics

no decryption policy set, wan to wan traffic decrypt is yes

Hsinyu — Thu, 19 Jan 2023 07:47:28 GMT

Hi All ,

We did not set decryption policy
But in the threat log, it is seen that decrypt is yes, and the traffic is wan to wan.

Under what circumstances will the log of wan to wan decrypt is yes be generated?

thanks

Re: no decryption policy set, wan to wan traffic decrypt is yes

emr_1 — Thu, 19 Jan 2023 07:50:51 GMT

If ssl session is terminated on wan interface, for example; globalprotect portal, it will be wan2wan session and also decrypted.

Re: no decryption policy set, wan to wan traffic decrypt is yes

Hsinyu — Thu, 19 Jan 2023 08:06:13 GMT

Hi Emr

Want to confirm if my understanding is correct
As long as the ssl 443 session from wan to wan ends on the wan interface, it will be decrypted by default on the PA. If it is a threat, it will be blocked, right?

Is there any other possibility besides ssl .

thanks

Re: no decryption policy set, wan to wan traffic decrypt is yes

emr_1 — Thu, 19 Jan 2023 08:51:49 GMT

yes to first part.

the action (blocked you said) depends on your configuration. If you configure it to be blocked, you are correct.

If you are pointing this decryption, this indicates ssl decryption was applied to the ssl / tls session

Re: no decryption policy set, wan to wan traffic decrypt is yes

BPry — Thu, 19 Jan 2023 17:36:18 GMT

@Hsinyu,

Just to be abundantly clear, the only time that traffic is automatically decrypted by the firewall is if the traffic terminates on the firewall. So in the example of a GlobalProtect Portal/Gateway, that traffic will be decrypted automatically without anything being configured by you as the admin.

In the event that you have a device setup in your WAN/untrust zone outside of the above examples, it won't be automatically decrypted by the firewall unless you setup a decryption policy. For example if I hand a VPN concentrator off of a firewall and just place it in a WAN/untrust zone, the firewall won't automatically start decrypting that traffic.

That might add a bit of confusion as this isn't a common deployment that folks do, but it's important to have that distinction present.