Looking to get started with SSL Decryption

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Looking to get started with SSL Decryption

L2 Linker
I'm currently reading articles on this site on how to set this up. I was hoping someone could point me to a guide or tell me a very basic test set up for this feature on the P.A. Thanks in advanced.
1 accepted solution

Accepted Solutions

L3 Networker
You probably want to intercept outbound browsing. Device > Certificates > Generate > Tick Certificate Authority ... make a certificate Edit your certificate and tick Forward Trust Certificate Tick your certificate and select Export Certificate. Do not export private key. Store file locally and open it on your desktop. Install Certificate Place it to your Trusted Root Certification Authorities store. Policies > Decryption Add your decryption rule > Make it match your traffic > Options > Action: Decrypt, Type: SSL Forward Proxy > New Decryption Profile (anything works) Commit There are a few more things you can do optionally (e.g. untrust certificate), but this gets you started.

View solution in original post

6 REPLIES 6

L3 Networker
You probably want to intercept outbound browsing. Device > Certificates > Generate > Tick Certificate Authority ... make a certificate Edit your certificate and tick Forward Trust Certificate Tick your certificate and select Export Certificate. Do not export private key. Store file locally and open it on your desktop. Install Certificate Place it to your Trusted Root Certification Authorities store. Policies > Decryption Add your decryption rule > Make it match your traffic > Options > Action: Decrypt, Type: SSL Forward Proxy > New Decryption Profile (anything works) Commit There are a few more things you can do optionally (e.g. untrust certificate), but this gets you started.

Thanks. That was very easy to follow. I'll give it a try. I'll repost here if I'm unsuccessful.

Nicely explained @BenLassila. The next thing i would do is to create a new “no decrypt” policy pointing to a no decrypt “url category”.

 

any sites that fail due to decryption attempts can simply be added to the new category.

 

it maybe something I’m doing wrong but this category for me is ever increasing.

 

i have noticed several posts regarding similar issues.

 

 

In the earlier versions of PanOS for large scale corporate deployments I had to manually add a number of lesser-known Trusted Root certificates. This has got a lot better with PanOS 7.1 and up. In the newest versions of PanOS you have a pre-populated "SSL Decryption Exclusion" list under Device > Certificate Management, which may be used as alternative to your no-decrypt list.

 

Depending on your risk appetite you can also just allow decrypt errors to be allowed in future attempts. This is set in the Decryption Profile. The failed URL in question then enters a list in memory for which the firewall won't try decrypt again. Your problem could forever go away with the right setting, except that you have less visibility or control over where SSL Decryption is failing.

 

Hope this helps

@BenLassila... noted. Many thanks.

we do already use the pre populated list. I should have been more specific in saying that we have a no decrypt site specific rule for the sites outside of the pre defined.

 

i have pretty much configured as you suggested but still get sites that fail on decrypt attempts and have to be added to my extra no decrypt policy.

 

i will check settings on monday. Dont want to move away to much from the original post.

 

thanks again for your time.

Reading your experiences is teaching me something about the SSL decryption in the firewall. Diverge from the original as much as you want.

  • 1 accepted solution
  • 4753 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!