How to Configure SSL Decryption

by ‎09-24-2015 11:40 AM - edited ‎10-05-2016 07:09 PM (87,954 Views)

Video Tutorial: How to Configure SSL Decryption

 

 

This video is designed to help you understand and configure SSL Decryption on PAN-OS 6.1.

 

We’ll be covering the following topics:

 

What is SSL Decryption?

Understanding Inbound and Outbound SSL Decryption (SSL Forward Proxy) 

Ensuring the Proper Certificate Authority on the Firewall

Configuring SSL Decryption Rules

Enabling SSL Decryption Notification Page (optional)

Committing Changes and Testing Decryption

 

What is SSL Decryption?

 

SSL (Secure Sockets Layer) is a security protocol that encrypts data to help keep information secure while on the internet. 

SSL certificates have a key pair: public and private, which work together to establish a connection.

 

PAN-OS can decrypt and inspect SSL inbound and outbound connections going through the firewall. SSL decryption can occur on interfaces in virtual wire, Layer 2 or Layer 3 mode. The Decryption rulebase is used to configure which traffic to decrypt. In particular, decryption can be based upon URL categories as well as source user and source/target addresses. Once traffic is decrypted, tunneled applications can be detected and controlled, and the decrypted data can be inspected for threats/URL filtering/file blocking/data filtering. Decrypted traffic is never sent off the device.

 

Inbound SSL Decryption

In the case of inbound SSL decryption, inbound traffic would be destined to an internal Web Server or device. To configure this properly, the administrator imports a copy of the protected server’s certificate and key. When the SSL server certificate is loaded on the firewall, and an SSL decryption policy is configured for the inbound traffic, the device can then decrypt and read the traffic as it forwards it along. No changes are made to the packet data, and the secure channel is built from the client system to the internal server. The firewall can then detect malicious content and control applications running over this secure channel.

 

Outbound SSL Decryption (SSL Forward Proxy)

In the case of outbound SSL decryption, the firewall proxies outbound SSL connections. For the site the user wishes to visit, the firewall intercepts outbound SSL requests and generates a certificate in real time.The validity date on the PA-generated certificate is taken from the validity date on the real server certificate.

 

The issuing authority of the PA-generated certificate is the Palo Alto Networks device. If the firewall’s certificate is not part of an existing hierarchy, or is not added to a client’s browser cache, the client then receives a warning message when browsing to a secure site. If the real server certificate has been issued by an authority not trusted by the Palo Alto Networks firewall, then the decryption certificate is issued using a second untrusted CA key. The decryption certificate ensures that the user is warned of subsequent man-in-the-middle attacks occurring.

 

Ensuring the Proper Certificate Authority on the Firewall and Exporting the CA to Clients

 

Loading or generating a CA certificate on the Palo Alto Networks firewall is needed, because a Certificate Authority (CA) is required to decrypt traffic properly by generating SSL certificates on the fly. Either create a self-signed CA on the firewall or import a subordinate CA from your own PKI infrastructure. Select Forward Trust Certificate and Forward Untrust Certificate on one or more certificates to enable the firewall to decrypt traffic. Because SSL Certificate providers like Entrust, Verisign, Digicert, and GoDaddy do not sell CAs, they are not supported in SSL Decryption.

 

To Generate a Self-Signed Certificate:

 

  • From the firewall GUI, go to Device > Certificates Management > Certificates. 
  • Click Generate at the bottom of the screen. 
  • For Certificate name (which can be anything) I chose ssl-decrypt.
  • For Common Name, I entered the Firewall's Trusted Internal IP: 172.16.77.1
  • Place a check box next to Certificate Authority to create a Certificate Authority and an SSL Certificate signed by the Firewall itself - 172.16.77.1.
    • If you want this certificate to be good for more than 1 year, please go into the Cryptographic settings, and choose, say, 2 years or 730 days. Now the certificate is good for 2 years.
    • If you need to place any additional Certificate attributes, you can do so inside the window at the bottom.
  • Click Generate, then notice that the Status shows as valid.
  • Click ssl-decrypt, then place a check mark next to Forward Trust Certificate and Forward Untrust Certificate, then click OK. Now the certificate can be used for decryption.

 

If a self-signed CA is used, the public CA Certificate must be exported from the firewall, then installed as a Trusted Root CA on each machine’s browser to avoid Untrusted Certificate error messages inside your browser. Normally, network administrators review and use GPO to push this certificate to each workstation. 

 

When it comes to the Forward Untrust Certificate, some admins choose to have a separate certificate just for this. As long as you have only one Forward Trust Certificate and one Forward Untrust Certificate, you should be OK keeping them separate.

 

  • To manually export the public CA certificate, let’s go back to the Certificates section at Device > Certificate Management > Certificates.
  • Select the check box next to ssl-decrypt we just created, then select Export at the bottom of the screen.
  • When the Export Certificate screen displays, uncheck Export private key, as it’s not required. 
  • Keep the format as Base64 Encoded Certificate (PEM) and click OK—no need to enter a password. A copy of cert_ssl-decrypt.crt is downloaded, which now needs to go onto the client machine.

 

Importing cert_ssl-decrypt.crt to Internet Explorer or Chrome:

 

Use Google Drive and GPO to push the exported certificate to all your client machines. We recommend GPO, as it allows SSL Decryption to work properly on 'new' machines.

 

  • Place a public CA Certificate onto Google Drive, then access Google Drive from a client machine.
  • Download the certificate onto the client machine.
  • Install the certificate onto IE or Chrome.

Note: You can also install the certificate onto other browsers like Opera or Firefox, but these instructions are for IE and Chrome.

 

To install the certificate:

  • Select  the certificate (in Windows, double-click).  The Certificate properties are displayed. 
  • Select Install Certificate. You are prompted about where you’d like to save this certificate. 
  • Select Place all certificates in the following store, then click browse. We recommend that you choose Trusted Root Certification Authorities, click Next, then Finish. The import was successful is displayed.
  • Click OK.

 

The public CA certificate created by the firewall is now installed properly.  Let’s continue with the rest of the configuration.

 

Configuring SSL Decryption Rules

These instructions are for setting up Outbound SSL Decryption (SSL Forward Proxy). If you need instructions for setting up Inbound SSL decryption, please see the admin guides (listed below) for instructions.

 

To set up SSL Decryption rules:

Go to Policies, then Decryption. This is where the rules either allow or decrypt the SSL traffic through the firewall. You can see that I already have two rules in place. One rule is to not decrypt—Do Not Decrypt is the name, and the second one is to decrypt traffic.

 

The network or security administrator determines what needs to be decrypted. Following are some suggestions for configuring SSL decryption rules:

 

  • Implement rules in a phased approach. Start with specific rules for decryption, then monitor the typical number of SSL connections being decrypted by the device.
  • Avoid decrypting the following URL categories, as users may consider this to be an invasion of privacy:

Financial services

Health-and-medicine

 

  • Also, do not decrypt applications where the server requires client-side certificates (for identification). 

 

For any sites that don’t work correctly, or for sites you’d like to exclude from being decrypted:

  • Create a custom URL category inside Objects > Custom Objects, then add at the bottom of the page.  Give it a name: Do-Not-Decrypt
  • Then add sites you do not want decrypted. 
  • I am placing site-x.com into this URL Category. I am also adding www.site-x.com as well, because even though these look like the same web pages, they are completely different.
  • Now, place that new URL Category into the Do-Not-Decrypt rule.

 

Enabling SSL Decryption Notification Page (optional)

 

If your security policy requires notifying users that their SSL connection will be decrypted, use the response page at Device > Response Pages screen. Click Disabled, then check the Enable SSL Opt-out Page option and click OK.

 

Committing Changes and Testing Decryption

Commit the changes so we can test the client SSL decryption.

 

From a client machine:

  • Visit any SSL web page and see if the session was decrypted. 
  • Try to see if twitter.com and facebook.com are showing up decrypted. If you can access the site without issues, then decryption is working properly.

 

To further verify:

  • From the WebGUI, go to traffic logs.
  • Look for twitter-base and click the Magnifying glass on the left side of the window.
  • Under Flags, look for the Decrypted flag on the right, under Flags. The Decrypted flag indicates that SSL Decryption is working as designed.

 

Note: If you attempt to access any sites that will not display properly after decryption is enabled, then you might have to add the site to a list that will not be decrypted. You can do this by creating a new Custom URL Category - Do Not Decrypt, then add whichever sites you want. 

 

Then check to see if the logs are recording the sessions being decrypted.

 

For instructions for generating and importing a certificate from Microsoft Certificate Server, and for more information in text form, please see How to Implement and Test SSL Decryption:

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption...

 

For information on the Difference Between SSL Forward-Proxy and Inbound Inspection Decryption Mode:

Difference Between SSL Forward Proxy and Inbound Inspection

 

For additional information on How to Configure SSL Decryption in document form, please see the Admin Guides: 

PAN-OS Administrator's Guide 5.0 (English)

 

PAN-OS Administrator's Guide 6.0 (English)

 

PAN-OS Administrator's Guide 6.1 (English)

 

PAN-OS Administrator's Guide 7.0

 

Panorama Adminstrator's Guide 7.0

 

We hope you enjoyed this video—thanks for watching.

 

We welcome all feedback below, so don't be shy!

 

Till next time—

Joe Delio

 

Comments
by snasheet
on ‎06-01-2016 07:53 AM

Excellent article. I start to liking the Palo Alto documentation.

by NormanWong
‎12-27-2016 12:32 PM - edited ‎12-27-2016 12:33 PM

Love the tutorial video. Question on the URL Category, how does the FW obtain the URL info prior to decryption for site such as financial and health not to be decrypted? Does it retrieve this info from the users prior DNS request to map the destination IP to the URL Catergory?

by ansharma
on ‎02-20-2017 05:12 PM

@gwong We look at the SNI (server name identifier) field in the Client Hello sent by the client to the website, to determine the URL and match it in the DB (or cloud) to figure out the category.

 

Hope that helps.

 

Regards,

Anurag

Ask Questions Get Answers Join the Live Community