https://live.paloaltonetworks.com/t5/general-topics/forcing-tls-ssl-decryption-to-cipher-suite-pan-can-decrypt/m-p/158721#M51965 <P>You could use a decryption profile which you have to attach to your decryption rule:&nbsp;<A href="https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/objects/objects-decryption-profile" target="_blank">https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/objects/objects-decryption-profile</A></P><P>&nbsp;</P><P>But in 7.1.x your very limited with the use of strong ciphers. Beginning with PAN-OS 8 PaloAlto also supports PFS for TLS Inbound inspection:&nbsp;<A href="https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/decryption-features/perfect-forward-secrecy-pfs-for-inbound-ssl-sessions#_92861" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/decryption-features/perfect-forward-secrecy-pfs-for-inbound-ssl-sessions#_92861</A></P> Tue, 30 May 2017 17:55:06 GMT Remo 2017-05-30T17:55:06Z https://live.paloaltonetworks.com/t5/general-topics/forcing-tls-ssl-decryption-to-cipher-suite-pan-can-decrypt/m-p/158718#M51964 <P>We're on 7.1.x and use SSL decryption on traffic coming in to sites we host.</P><P>&nbsp;</P><P>Is there a way to <EM><STRONG>force</STRONG></EM> the SSL traffic to a (strong) cipher suite(s) that the PAN can decrypt please?</P><P>&nbsp;</P><P>I found this KB but I'm not entirely clear if this&nbsp;lets you mandate <STRONG><EM>only</EM></STRONG>&nbsp;cipher suites that can be decrypted?</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/PAN-OS-Supported-ciphers/ta-p/71969" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/PAN-OS-Supported-ciphers/ta-p/71969</A></P><P>&nbsp;</P><P>Thank you <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 30 May 2017 17:16:43 GMT https://live.paloaltonetworks.com/t5/general-topics/forcing-tls-ssl-decryption-to-cipher-suite-pan-can-decrypt/m-p/158718#M51964 networkadmin 2017-05-30T17:16:43Z https://live.paloaltonetworks.com/t5/general-topics/forcing-tls-ssl-decryption-to-cipher-suite-pan-can-decrypt/m-p/158721#M51965 <P>You could use a decryption profile which you have to attach to your decryption rule:&nbsp;<A href="https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/objects/objects-decryption-profile" target="_blank">https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/objects/objects-decryption-profile</A></P><P>&nbsp;</P><P>But in 7.1.x your very limited with the use of strong ciphers. Beginning with PAN-OS 8 PaloAlto also supports PFS for TLS Inbound inspection:&nbsp;<A href="https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/decryption-features/perfect-forward-secrecy-pfs-for-inbound-ssl-sessions#_92861" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/decryption-features/perfect-forward-secrecy-pfs-for-inbound-ssl-sessions#_92861</A></P> Tue, 30 May 2017 17:55:06 GMT https://live.paloaltonetworks.com/t5/general-topics/forcing-tls-ssl-decryption-to-cipher-suite-pan-can-decrypt/m-p/158721#M51965 Remo 2017-05-30T17:55:06Z https://live.paloaltonetworks.com/t5/general-topics/forcing-tls-ssl-decryption-to-cipher-suite-pan-can-decrypt/m-p/158722#M51966 <P>I meant to post this link&nbsp;<A href="https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Cipher-suite-enforcement-in-decryption-rules/ta-p/74291" target="_blank">https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Cipher-suite-enforcement-in-decryption-rules/ta-p/74291</A></P><P>&nbsp;</P><P>I guess I'm not sure how a decryption profile interacts to force the traffic to something that can be decrypted.</P> Tue, 30 May 2017 17:57:40 GMT https://live.paloaltonetworks.com/t5/general-topics/forcing-tls-ssl-decryption-to-cipher-suite-pan-can-decrypt/m-p/158722#M51966 networkadmin 2017-05-30T17:57:40Z https://live.paloaltonetworks.com/t5/general-topics/forcing-tls-ssl-decryption-to-cipher-suite-pan-can-decrypt/m-p/158730#M51969 <P>Create a decryption profile with the following settings:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Ashampoo_Snap_2017.05.30_21h55m14s_016_.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9461i4E068E2418307851/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Ashampoo_Snap_2017.05.30_21h55m14s_016_.png" alt="Ashampoo_Snap_2017.05.30_21h55m14s_016_.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Ashampoo_Snap_2017.05.30_21h55m55s_017_.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9460i7C27270DE590464E/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Ashampoo_Snap_2017.05.30_21h55m55s_017_.png" alt="Ashampoo_Snap_2017.05.30_21h55m55s_017_.png" /></span></P><P>&nbsp;</P><P>After that you simply attach this profile to your decryption rule and your done. The firewall will only allow ciphers which it is able to decrypt and everything else will be dropped.</P><P>&nbsp;</P><P>(these are screenshots from PAN-OS 8. in PAN-OS 7.1 you HAVE TO SELECT RSA as Key Exchange Algorithm because DHE and ECDHE are not supported for inbound inspection)</P><P>&nbsp;</P><P>&nbsp;&nbsp;</P> Tue, 30 May 2017 20:04:49 GMT https://live.paloaltonetworks.com/t5/general-topics/forcing-tls-ssl-decryption-to-cipher-suite-pan-can-decrypt/m-p/158730#M51969 Remo 2017-05-30T20:04:49Z