topic Do I need SSL decryption to turned ON for Wildfire deployment ? in General Topics

Do I need SSL decryption to turned ON for Wildfire deployment ?

PS007 — Wed, 17 Jul 2019 21:01:55 GMT

Can Wildfire engine detect & identify zero day or known threat if SSL decrption feature is off in Palo Alto firewall ?

WildFire can discover zero-day malware in web traffic (HTTP/HTTPS), email protocols (SMTP, IMAP, and POP), and FTP traffic and can quickly generate signatures to identify and protect against future infections from the malware it discovers.

But how it detects file types, malicious behaviour for SSL encrypted traffic ?

Re: Do I need SSL decryption to turned ON for Wildfire deployment ?

BPry — Thu, 18 Jul 2019 03:22:56 GMT

@PS007,

You need SSL Decryption to get the full benefit of WildFire for encrypted traffic, as you would expect. If you don't have visability into the traffic WildFire won't be able to identify the content being downloaded and therefore isn't able to fully protect your environment.

Re: Do I need SSL decryption to turned ON for Wildfire deployment ?

PS007 — Thu, 18 Jul 2019 14:25:49 GMT

@BPry my organization dont want to turn SSL decryption ON due to user privacy issues. What other benefits I can get from WF ? How about email/ftp or any other traffic ?

Re: Do I need SSL decryption to turned ON for Wildfire deployment ?

jdelio — Thu, 18 Jul 2019 14:44:03 GMT

@PS007 , please keep in mind that more and more applications and sites are being encrypted to be more secure.

So, if you are not decrypting SSL, then you are missing out on a big piece of the puzzle.

When you setup the decryption policy, you normally exclude Banking, Hospital/medical, and similar categories to respect personal privacy.

Re: Do I need SSL decryption to turned ON for Wildfire deployment ?

BPry — Thu, 18 Jul 2019 16:21:45 GMT

@PS007,

So if you don't decrypt traffic WildFire is only able to act on what it can actually see crossing the firewall, which at that point would be any unencrypted traffic. So while FTP traffic would get inspected SFTP would not, likewise HTTP downloads would be inspected but HTTPS downloads would not be. There is still a lot of benefit in catching the "low-hanging fruit" utilizing WildFire in a network while not utilizing SSL Decryption for external traffic. That being said, more and more traffic is switching to encrypted by default, so the effective percentage of your analyzed traffic would continue to go down as the percentage of your encrypted traffic goes up.

I would argue that with you falling under GDPR you actually have even more of a reason to gain insight into your traffic patterns, not less. As @jdelio mentioned you can exclude any category or domain that you don't want decrypted with ease, but choosing to go without decryption all-together is relatively risky if your org actually gets breached and would have to report it. IE: The cost of being fined under GDPR because customer or employee information was potentially exported/accessed under a network breach would be rather massive; and unless you decrypt traffic hitting a public resource you host on your network (inbound decryption) you don't really have that big of a GDPR risk with the right retentention policies in place.