topic Re: HTTPS Response pages in General Topics

HTTPS Response pages

BigPalo — Wed, 12 May 2021 10:36:39 GMT

Hi,

I know that there are many threads here about this. We would like to show the response pages for https.

We saw this link but i have several doubts:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFKCA0

This command is enabled globally: "set deviceconfig setting ssl-decrypt url-proxy yes". So, is this command decrypting all SSL? or just injecting response pages? This would impact a lot in the CPU.

In order to limit the decrypt ssl for several users i understand we need to use decryption policy like usual.

what is the best way?

Re: HTTPS Response pages

S.Cantwell — Thu, 13 May 2021 00:15:26 GMT

Hello there.

Yes, pretty much, the only way for a response page to be seen, is to enable decryption, so the FW can "see" web-browsing (application) on port 443, and then issue the response page.

It is not pretty, but it is a necessary requirement to set the expectation that end user traffic MUST be decrypted (else, how does one propose to catch PII, HIPPA, company trade secrets, credit cards, social secuirty, etc)... The FW cannot block what it cannot see. 😞

Re: HTTPS Response pages

MP18 — Fri, 14 May 2021 00:06:12 GMT

@BigPalo

If you are not doing ssl decryption of the traffic and you want response page enabled then you use below command

enabled globally: "set deviceconfig setting ssl-decrypt url-proxy yes"

It will inject the response page. This will not cause Spike in CPU or actually decrypt the traffic.

Regards

Re: HTTPS Response pages

BigPalo — Fri, 14 May 2021 17:54:04 GMT

So we need to add this command " "set deviceconfig setting ssl-decrypt url-proxy yes"" and also a decryption policy?

Re: HTTPS Response pages

MP18 — Fri, 14 May 2021 18:55:53 GMT

@BigPalo

You only need cli command no decryption policy.

Regards

Re: HTTPS Response pages

BigPalo — Sat, 15 May 2021 09:53:58 GMT

OK, but this command will be to decrypt all traffic https passing the FW? what is the impact?

We are scared about showing the certificate not trusted web for everyone. Althoug we put the CA root PA certificate in browser, but like this is a global config....any way to filter by user?

Re: HTTPS Response pages

S.Cantwell — Sat, 15 May 2021 14:36:03 GMT

The FW will only decrypt enough to read the URL category and provide the response page as needed. There is not complete decryption of the traffic.

That being said, I think we all should provide consistent messaging that decryption is a feature set that all customers should be researching/testing, etc.

My suggestion is to run the command, and then ONLY use your IP as a test machine, so it is not impactful to everyone. Test the feature, get comfortable with the feature, and then slowly rollout this to your network. Again, this is for getting the response page.

Once you fell comfortable, I would recommend that you research the entire Decryption function, learn what is needed, how to configure it, and continue to proceed with the feature set. As we have recently seen, there in an influx in the amount of malicious traffic inbound and laterally, due to SSL encrypted files. A better security posture is to utilize all the features. It is generally stated that 65% to 80% of the Internet is TLS encrypted. So, by not implementing an important feature set, you are really getting 20 to 35% protection of ContentID (and that does not include loss of intellectual property or sensitive data loss)

Is there any other questions/concerns we can assist with?

Re: HTTPS Response pages

BigPalo — Sat, 15 May 2021 16:57:15 GMT

OK, but this command is applied by CLI ad its global. How can we limit the decrypt for just one user and testing purposes?

is it neccesary a decryption policy for that? im not sure if enabling anything global apply for everyone and cpu issue will happen.

Re: HTTPS Response pages

S.Cantwell — Sat, 15 May 2021 21:21:33 GMT

Good Day again.

We have provided you information about resolving your issue. It will now be up to you to decide how you would like to use this information. Both myself and MP18 stated that no decryption rules are used, and minimal CPU increase.

Re: HTTPS Response pages

Remo — Sun, 16 May 2021 16:19:18 GMT

Hi @BigPalo

With the already proposed solutions you should be good to go without a performance impact. Aso you wrote correctly, it is a global setting so if you want to be absolutely sure about what you are going to implement, then test the setup on a lab firewally. According to the knowledgebase article you also need to enable response pages ( https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFKCA0 ).

As @S.Cantwell wrote you should consider enabling the decryption feature as this will dramatically improve the security and visibility in your network.