https://live.paloaltonetworks.com/t5/general-topics/is-decryption-needed-without-url-filtering/m-p/149955#M49855 <P>Hello.</P><P>&nbsp;</P><P>We currenly have a Palo-5050 v7.18 doing firewalling and URL filtering.</P><P>We have SSL decryption enabled.</P><P>&nbsp;</P><P>Because Palo does not support transparent authentication using Chromebooks and because we do not like the Palo URL reporting, we are looking at getting rid of the URL filtering part.</P><P>&nbsp;</P><P>Do we still need to have SSL decryption enabled for normal firewall apps and function?</P><P>&nbsp;</P><P>If yes, does that mean we would need to have multiple SSL certs installed on our client devices:</P><P>1 for Palo SSL decyption</P><P>1 for new URL filtering product</P><P>?</P><P>&nbsp;</P><P>Much thanks.</P><P>Dan</P><P>&nbsp;</P> Tue, 28 Mar 2017 16:04:37 GMT dannon 2017-03-28T16:04:37Z https://live.paloaltonetworks.com/t5/general-topics/is-decryption-needed-without-url-filtering/m-p/149955#M49855 <P>Hello.</P><P>&nbsp;</P><P>We currenly have a Palo-5050 v7.18 doing firewalling and URL filtering.</P><P>We have SSL decryption enabled.</P><P>&nbsp;</P><P>Because Palo does not support transparent authentication using Chromebooks and because we do not like the Palo URL reporting, we are looking at getting rid of the URL filtering part.</P><P>&nbsp;</P><P>Do we still need to have SSL decryption enabled for normal firewall apps and function?</P><P>&nbsp;</P><P>If yes, does that mean we would need to have multiple SSL certs installed on our client devices:</P><P>1 for Palo SSL decyption</P><P>1 for new URL filtering product</P><P>?</P><P>&nbsp;</P><P>Much thanks.</P><P>Dan</P><P>&nbsp;</P> Tue, 28 Mar 2017 16:04:37 GMT https://live.paloaltonetworks.com/t5/general-topics/is-decryption-needed-without-url-filtering/m-p/149955#M49855 dannon 2017-03-28T16:04:37Z https://live.paloaltonetworks.com/t5/general-topics/is-decryption-needed-without-url-filtering/m-p/149988#M49861 <P>Depends on the application you are trying to catch and the need to see threats, short answer is yes you want to decrypt the traffic more than likely so leave that on.&nbsp;</P><P>&nbsp;</P><P>If your new URL filtering product requires SSL decrytion then it will need this as well. I imagine that in a school enviroment you are probably looking at something like a Barracuda, in which case it helps to have SSL decryption enabled and you would need the required certs to configure this correctly loaded onto the client devices.&nbsp;</P> Tue, 28 Mar 2017 18:30:06 GMT https://live.paloaltonetworks.com/t5/general-topics/is-decryption-needed-without-url-filtering/m-p/149988#M49861 BPry 2017-03-28T18:30:06Z https://live.paloaltonetworks.com/t5/general-topics/is-decryption-needed-without-url-filtering/m-p/150234#M49911 <P>Hi Dannon,</P><P>&nbsp;</P><P>Decryption would be better for application and threat detection. If not, we might not see the application shift which may happen after the base application is read. Decryption requires a certificate which is marked as CA and the private key should be on the firewall. You could have 2 different certificates for Palo Alto, URL filtering service. However, you could also export certificate from one device and import it into another (PA can do that, not sure about the other device).</P><P>&nbsp;</P><P>Regards,</P><P>Anurag&nbsp;</P> Wed, 29 Mar 2017 19:33:55 GMT https://live.paloaltonetworks.com/t5/general-topics/is-decryption-needed-without-url-filtering/m-p/150234#M49911 ansharma 2017-03-29T19:33:55Z