topic Re: what is the best for social-networking category ,Decrypt or no decrypt in General Topics

what is the best for social-networking category ,Decrypt or no decrypt

AhmedEmam — Mon, 13 Aug 2018 12:29:46 GMT

Dears

In my company ,unfortunately, allow facebook.com website

we note when do "SSL Decryption" for social-networking category ,There is huge utilization on CPU (Up to 85%)

what is the better for this case as design : Decrypt Facebook or no decrypt ?

if we do "no-decrypt" ,Can palo alto to apply the policy of deny for some application on facebook such as "Facebbok-chat ,..."

Thanks

Re: what is the best for social-networking category ,Decrypt or no decrypt

BPry — Mon, 13 Aug 2018 14:43:33 GMT

@AhmedEmam,

SSL Decryption can take a hit on smaller boxes that don't have much processing to spare; and depending on the amount of traffic you pass to Facebook you would expect to see a spike when you first start decrypting traffic.

The firewall won't be able to reliably look into the traffic and properly identify facebook-chat instead of normal 'facebook'. This makes for a broken experiance as users will be constantly switching back and forth between a working facebook-chat and a non-working facebook-chat as the firewall is able to identify the app-id as traffic passes.

I would personally recommend that you keep decrypting the traffic, 85% utilization is perfectly fine for the firewall.

Re: what is the best for social-networking category ,Decrypt or no decrypt

AhmedEmam — Wed, 15 Aug 2018 09:40:53 GMT

Thank you for your reply

I would think that 85% is very high because exceed Max.= 80%

But when try to implement decryption ,I note the palo alto can down the "Facebook-chat" as example and permit the facebook .

what is problem or (Bad desgin) if cancle decryption ?

Again thank you for your reply

Re: what is the best for social-networking category ,Decrypt or no decrypt

BPry — Wed, 15 Aug 2018 13:22:28 GMT

@AhmedEmam,

85% would be high if it's sustained, and it certainly poses a question on whether a spike in traffic would push the CPU even higher. If it's a momentary spike to 85% and it curbs off right away, I wouldn't be worried about it; if you are at a sustained 85% and spiking higher then that's an actual issue.

Not decrypting the traffic you lose insight into what the traffic is actually doing/is. At that point there is no knowing whether the traffic is simply normal social media traffic or if a malicious attachment someone got through email is using facebook to host a malicious file masquerading as an image. Most companies also have different policies in place on different parts of Facebook; for example they might let you go to Facebook, but not chat or access any Facebook games.

Whether or not you should decrypt this traffic depends on multiple things that matter in varying degrees depending on the company.

Re: what is the best for social-networking category ,Decrypt or no decrypt

AhmedEmam — Thu, 16 Aug 2018 07:51:59 GMT

Thank you for your reply