Video Tutorial: How to Configure SSL Decryption
This video is designed to help you understand and configure SSL Decryption on PAN-OS 6.1.
We’ll be covering the following topics:
SSL (Secure Sockets Layer) is a security protocol that encrypts data to help keep information secure while on the internet.
SSL certificates have a key pair: public and private, which work together to establish a connection.
PAN-OS can decrypt and inspect SSL inbound and outbound connections going through the firewall. SSL decryption can occur on interfaces in virtual wire, Layer 2 or Layer 3 mode. The Decryption rulebase is used to configure which traffic to decrypt. In particular, decryption can be based upon URL categories as well as source user and source/target addresses. Once traffic is decrypted, tunneled applications can be detected and controlled, and the decrypted data can be inspected for threats/URL filtering/file blocking/data filtering. Decrypted traffic is never sent off the device.
In the case of inbound SSL decryption, inbound traffic would be destined to an internal Web Server or device. To configure this properly, the administrator imports a copy of the protected server’s certificate and key. When the SSL server certificate is loaded on the firewall, and an SSL decryption policy is configured for the inbound traffic, the device can then decrypt and read the traffic as it forwards it along. No changes are made to the packet data, and the secure channel is built from the client system to the internal server. The firewall can then detect malicious content and control applications running over this secure channel.
Outbound SSL Decryption (SSL Forward Proxy)
In the case of outbound SSL decryption, the firewall proxies outbound SSL connections. For the site the user wishes to visit, the firewall intercepts outbound SSL requests and generates a certificate in real time.The validity date on the PA-generated certificate is taken from the validity date on the real server certificate.
The issuing authority of the PA-generated certificate is the Palo Alto Networks device. If the firewall’s certificate is not part of an existing hierarchy, or is not added to a client’s browser cache, the client then receives a warning message when browsing to a secure site. If the real server certificate has been issued by an authority not trusted by the Palo Alto Networks firewall, then the decryption certificate is issued using a second untrusted CA key. The decryption certificate ensures that the user is warned of subsequent man-in-the-middle attacks occurring.
Loading or generating a CA certificate on the Palo Alto Networks firewall is needed, because a Certificate Authority (CA) is required to decrypt traffic properly by generating SSL certificates on the fly. Either create a self-signed CA on the firewall or import a subordinate CA from your own PKI infrastructure. Select Forward Trust Certificate and Forward Untrust Certificate on one or more certificates to enable the firewall to decrypt traffic. Because SSL Certificate providers like Entrust, Verisign, Digicert, and GoDaddy do not sell CAs, they are not supported in SSL Decryption.
To Generate a Self-Signed Certificate:
If a self-signed CA is used, the public CA Certificate must be exported from the firewall, then installed as a Trusted Root CA on each machine’s browser to avoid Untrusted Certificate error messages inside your browser. Normally, network administrators review and use GPO to push this certificate to each workstation.
When it comes to the Forward Untrust Certificate, some admins choose to have a separate certificate just for this. As long as you have only one Forward Trust Certificate and one Forward Untrust Certificate, you should be OK keeping them separate.
Importing cert_ssl-decrypt.crt to Internet Explorer or Chrome:
Use Google Drive and GPO to push the exported certificate to all your client machines. We recommend GPO, as it allows SSL Decryption to work properly on 'new' machines.
Note: You can also install the certificate onto other browsers like Opera or Firefox, but these instructions are for IE and Chrome.
To install the certificate:
The public CA certificate created by the firewall is now installed properly. Let’s continue with the rest of the configuration.
These instructions are for setting up Outbound SSL Decryption (SSL Forward Proxy). If you need instructions for setting up Inbound SSL decryption, please see the admin guides (listed below) for instructions.
To set up SSL Decryption rules:
Go to Policies, then Decryption. This is where the rules either allow or decrypt the SSL traffic through the firewall. You can see that I already have two rules in place. One rule is to not decrypt—Do Not Decrypt is the name, and the second one is to decrypt traffic.
The network or security administrator determines what needs to be decrypted. Following are some suggestions for configuring SSL decryption rules:
For any sites that don’t work correctly, or for sites you’d like to exclude from being decrypted:
If your security policy requires notifying users that their SSL connection will be decrypted, use the response page at Device > Response Pages screen. Click Disabled, then check the Enable SSL Opt-out Page option and click OK.
Commit the changes so we can test the client SSL decryption.
From a client machine:
To further verify:
Note: If you attempt to access any sites that will not display properly after decryption is enabled, then you might have to add the site to a list that will not be decrypted. You can do this by creating a new Custom URL Category - Do Not Decrypt, then add whichever sites you want.
Then check to see if the logs are recording the sessions being decrypted.
For instructions for generating and importing a certificate from Microsoft Certificate Server, and for more information in text form, please see How to Implement and Test SSL Decryption:
For information on the Difference Between SSL Forward-Proxy and Inbound Inspection Decryption Mode:
For additional information on How to Configure SSL Decryption in document form, please see the Admin Guides:
We hope you enjoyed this video—thanks for watching.
We welcome all feedback below, so don't be shy!
Till next time—