Looking to get started with SSL Decryption

Reply
L2 Linker

Looking to get started with SSL Decryption

I'm currently reading articles on this site on how to set this up. I was hoping someone could point me to a guide or tell me a very basic test set up for this feature on the P.A. Thanks in advanced.
L3 Networker

Re: Looking to get started with SSL Decryption

You probably want to intercept outbound browsing. Device > Certificates > Generate > Tick Certificate Authority ... make a certificate Edit your certificate and tick Forward Trust Certificate Tick your certificate and select Export Certificate. Do not export private key. Store file locally and open it on your desktop. Install Certificate Place it to your Trusted Root Certification Authorities store. Policies > Decryption Add your decryption rule > Make it match your traffic > Options > Action: Decrypt, Type: SSL Forward Proxy > New Decryption Profile (anything works) Commit There are a few more things you can do optionally (e.g. untrust certificate), but this gets you started.
L2 Linker

Re: Looking to get started with SSL Decryption

Thanks. That was very easy to follow. I'll give it a try. I'll repost here if I'm unsuccessful.

L6 Presenter

Re: Looking to get started with SSL Decryption

Nicely explained @BenLassila. The next thing i would do is to create a new “no decrypt” policy pointing to a no decrypt “url category”.

 

any sites that fail due to decryption attempts can simply be added to the new category.

 

it maybe something I’m doing wrong but this category for me is ever increasing.

 

i have noticed several posts regarding similar issues.

 

 

L3 Networker

Re: Looking to get started with SSL Decryption

In the earlier versions of PanOS for large scale corporate deployments I had to manually add a number of lesser-known Trusted Root certificates. This has got a lot better with PanOS 7.1 and up. In the newest versions of PanOS you have a pre-populated "SSL Decryption Exclusion" list under Device > Certificate Management, which may be used as alternative to your no-decrypt list.

 

Depending on your risk appetite you can also just allow decrypt errors to be allowed in future attempts. This is set in the Decryption Profile. The failed URL in question then enters a list in memory for which the firewall won't try decrypt again. Your problem could forever go away with the right setting, except that you have less visibility or control over where SSL Decryption is failing.

 

Hope this helps

Highlighted
L6 Presenter

Re: Looking to get started with SSL Decryption

@BenLassila... noted. Many thanks.

we do already use the pre populated list. I should have been more specific in saying that we have a no decrypt site specific rule for the sites outside of the pre defined.

 

i have pretty much configured as you suggested but still get sites that fail on decrypt attempts and have to be added to my extra no decrypt policy.

 

i will check settings on monday. Dont want to move away to much from the original post.

 

thanks again for your time.

L2 Linker

Re: Looking to get started with SSL Decryption

Reading your experiences is teaching me something about the SSL decryption in the firewall. Diverge from the original as much as you want.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!