In my company ,unfortunately, allow facebook.com website
we note when do "SSL Decryption" for social-networking category ,There is huge utilization on CPU (Up to 85%)
what is the better for this case as design : Decrypt Facebook or no decrypt ?
if we do "no-decrypt" ,Can palo alto to apply the policy of deny for some application on facebook such as "Facebbok-chat ,..."
SSL Decryption can take a hit on smaller boxes that don't have much processing to spare; and depending on the amount of traffic you pass to Facebook you would expect to see a spike when you first start decrypting traffic.
The firewall won't be able to reliably look into the traffic and properly identify facebook-chat instead of normal 'facebook'. This makes for a broken experiance as users will be constantly switching back and forth between a working facebook-chat and a non-working facebook-chat as the firewall is able to identify the app-id as traffic passes.
I would personally recommend that you keep decrypting the traffic, 85% utilization is perfectly fine for the firewall.
Thank you for your reply
I would think that 85% is very high because exceed Max.= 80%
But when try to implement decryption ,I note the palo alto can down the "Facebook-chat" as example and permit the facebook .
what is problem or (Bad desgin) if cancle decryption ?
Again thank you for your reply
85% would be high if it's sustained, and it certainly poses a question on whether a spike in traffic would push the CPU even higher. If it's a momentary spike to 85% and it curbs off right away, I wouldn't be worried about it; if you are at a sustained 85% and spiking higher then that's an actual issue.
Not decrypting the traffic you lose insight into what the traffic is actually doing/is. At that point there is no knowing whether the traffic is simply normal social media traffic or if a malicious attachment someone got through email is using facebook to host a malicious file masquerading as an image. Most companies also have different policies in place on different parts of Facebook; for example they might let you go to Facebook, but not chat or access any Facebook games.
Whether or not you should decrypt this traffic depends on multiple things that matter in varying degrees depending on the company.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!