topic Re: Decryption policy options explanation required. in General Topics

Decryption policy options explanation required.

Xtreme — Thu, 01 Feb 2018 06:41:35 GMT

Hello Everyone,

I am reading about decryption policy and have some questions in my mind, so looking for some answers.

1- In order to apply the decryption profile, do I need to have action set to decrypt ?

2- what is the advantage if I have a decrypt policy with options set to:

a) Action: No decrypt (with no profile) <-- is not it same as if it was not created !

b) Action: No decrypt (with profile) <-- if Q1 is yes

c) Action: Decrypt (with no profile) <-- In this case only useful for decrypt mirror/forwarding ? or will it go now to the other security policies to apply other possible profiles (e.g. Anti-virus, file block, data filter, etc) ?

Re: Decryption policy options explanation required.

reaper — Thu, 01 Feb 2018 09:37:55 GMT

hi @Xtreme

you will need a decryption policy before decryption will be applied to a session

The no-decryptpolicy is usually used to exclude a subset of oytherwise decrypted traffic (eg. decrypt everything except financial url category because it is privacy sensitive)

The decryption profile is used to help the firewall decide what to do if something is unusual or wrong with a certificate

Some certificates may not be signed by a trusted source or expired,some may be using a weak cipher (3des, md5)

The profile will help you block (or not) these connections as they should be considered as suspicious.

Re: Decryption policy options explanation required.

BPry — Thu, 01 Feb 2018 13:00:23 GMT

@Xtreme,

Touching off of what @reaper pointed out earlier, I've never seen a firewall configured for SSL Decryption that doesn't have some sort of 'No-Decrypt' policy. Exactly for the points that reaper pointed out for categories such as Financial information, health and banking and he such. However most will also come across differerent applications or websites that won't work nicely with SSL Decryption. PA builds in a decent SSL Decryption Exclusion list to try and assist with this, however there are some services (primarly when using client certs or pinned certs for auth) that simply won't work when run through the decryption policy.

Re: Decryption policy options explanation required.

Mick_Ball — Thu, 01 Feb 2018 14:06:11 GMT

@BPry, @reaper, nice info.... but can i just ask...

we are often adding sites to the no-decrypt rule as the site becomes unreachable.

Am i missing something here...

Does the PA not have the option to see that it cannot be decrypted and just pas the traffic through as normal..

Thanks..

also...

I have tried to work out why the decryption is failing by comparing packets in wireshark, and it seems that what is being offered is available on the PA...

any other options for checking decrypt failures...

Thanks again...

Re: Decryption policy options explanation required.

reaper — Thu, 01 Feb 2018 14:47:54 GMT

The certificate profile has options to 'block unsupported' suites and ciphers, if you diable those options unsupported certifcates will be allowed to pass through

you can also add sites to the SSL Decrypt Exclusion list (device > certificate management)

some certificates may be pinned or have other features that are not supported

Re: Decryption policy options explanation required.

Xtreme — Thu, 01 Feb 2018 14:54:44 GMT

Thanks guys. However, I want your input regarding the following statements (True or Falese):

1- No-Decryption action with profile exist --> this requires that certifiacate has no issue, otherwise drop connection.

2- Decrypt action with profile or without profile --> this traffic if compliant with profile (if exist) will go over the security policy to see if a match exist then other defined profiles such as anti-virus, file blocking profiles will apply to the decrypted traffic.

3- For decrypt mirror to work correctly, I need to create decryption policy with action set to "Decrypt" and Profile with Decrypt mirror "Enabled" (regardeless of the certificate status and/or other security policies and profiles)

* If false what is the correct behaviour.