More on SSL Decryption

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Community Team Member

What is SSL Decryption.png

Palo Alto Networks answers the question, "What is SSL Decryption?" and explains how PAN-OS 10.0 brings on new features and options that help you leverage SSL Decryption to decrypt SSL packets safely and efficiently. 

 

 

Now, more than ever, we are all about privacy and keeping ourselves secure (especially online). That is one of the beauties of SSL (Secure Socket Layer) or HTTPS, its ability to encrypt and secure your online activity.

 

What is SSL Decryption?

SSL Decryption is the ability to view inside of Secure HTTP traffic (SSL) as it passes through the Palo Alto Networks firewall. Before SSL Decryption, firewall admins would have no access to the information inside an encrypted SSL packet, essentially, masking all activity. However, now SSL Decryption gives you visibility into the SSL packet to find hidden applications and threats inside SSL traffic, given the data is sourced from within your network.

 

Every day, more internet traffic is being encrypted with SSL or TLS. Some reports show upwards to 90-95% of traffic is now encrypted, depending on the platform. This will only increase in the future, especially, with search engines like Google starting to use HTTPS, and that means more things are encrypted.

 

Let's dive deeper. The more things become secure, the more that companies are essentially blind to any possible security risks inside the encrypted traffic. The other downside is that attackers are realizing new ways of delivering malware inside of the encrypted traffic.


What are the different ways that Palo Alto Networks can help decrypt traffic?

  • SSL Forward Proxy (SSL Decryption)
  • SSL Inbound Inspection
  • SSH Proxy

What is SSL Forward Proxy (SSL Decryption)?

SSL Forward Proxy (SSL Decryption) gives the firewall the ability to view inside of the traffic and perform all of the security checks you would not normally be able to see inside of an SSL encrypted packet.

 

Decryption on a next-generation firewallDecryption on a next-generation firewall

 

What is SSL Inbound Inspection?

SSL Inbound Inspection is a way for the firewall to inspect the communication of a web server protected by the firewall, by decrypting the traffic using the internal web servers SSL Certificate.

 

What is SSH Proxy?

SSH Proxy is a way that the firewall can decrypt and inspect tunneled SSH traffic passing thru the firewall.

 

What is TLSv1.3?

TLSv1.3 is the latest version of the TLS(Transport Layer Security) protocol, which is the improved version of SSL. One of the many new features of PAN-OS 10.0 is the ability to decrypt TLSv1.3.

 

How Can I Configure SSL Decryption?

For detailed instructions on how to implement SSL Decryption, please see the following sections of the Administrator's Guide here:

Configure SSL Forward Proxy - PAN-OS 10.0

Configure SSL Inbound Inspection

Configure SSH Proxy

 

How can I learn more about SSL Decryption?

There are many resources available such as webinars and discussion forums technical documents, which I've listed some below.

 

 

Enabling and Deploying Your SSL Decryption

Enabling and Deploying SSL DecryptionEnabling and Deploying SSL Decryption

SSL Decryption Best Practices Deep Dive 
SSL Decryption Best Practices webinarSSL Decryption Best Practices webinar

 

10 Best Practices for SSL Decryption
ssl decryption 10 best practices.png

 

See Also

Knowledge Base information:

SSL Decryption, what is it?

 

For a SSL Decryption resource list, including troubleshooting, please see:
SSL Decryption Resource List on Configuring and Troubleshooting

 

For detailed information on decryption, please see:
Decryption: Why, Where and How

 

For a detailed overview on Decryption, please see the Decryption section of the PAN-OS Administrator's Guide here:

PAN-OS Administrator's Guide - SSL Decryption

 

For more detailed instructions on implementing SSL Decryption with PAN-OS 10.0, please see: 

Deploy SSL Decryption Using Best Practices

We even have detailed troubleshooting resources for PAN-OS 10.0 available here:
Troubleshooting SSL Decryption and PAN-OS-10.0 

 

ONLINE DISCUSSION

To keep the discussion going, I created a thread in the General Topics discussions about SSL Decryption:

Discussion - More information about SSL Decryption and PAN-OS 10.0

Please check it out and feel free to continue the discussion there.

 

You can even read more about SSL Decryption from the FUEL User Group:

How I Learned to Stop Worrying and Love SSL Decryption

 

Thanks for taking time to read my blog.
If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.

 

As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,
Joe Delio
End of line

2,314 Views
Comments
L4 Transporter

Great blog, @jdelio ! Very resourceful and helpful! 

2,282 Views
Community Manager

Nice blog @jdelio with SSL being a top topic from our community members and overall it's full of valuable resources and tools. It's a must read for sure. The videos are very helpful as well. 

 

2,201 Views
Community Team Member

FYI: If you would like to continue the discussion about this on the discussion forums, I have created the following thread for that.

https://live.paloaltonetworks.com/t5/general-topics/more-information-about-ssl-decryption-and-pan-os...

 

Enjoy!! 

Joe Delio

2,177 Views
Labels