SSL decryption—a process that allows you to inspect Secure HTTP traffic as it passes through your firewall—has always played a large role in protecting and securing your network. Without getting to see the full traffic picture, there is no way to properly protect your network, your users, or your data. Recent changes amplify the need for SSL decryption, making it more important than ever to shine a light on your traffic and activity.
Let's unpack SSL Decryption and Palo Alto Networks software and hardware.
More traffic is being encrypted
With upwards of 95% of traffic being encrypted, weak protocols no longer being supported, SSL certs being easier to obtain than ever before. Plus, more sites are moving to HTTPS, which makes it harder to see the full security picture without decryption.
There have been advances in SSL decryption abilities with Palo Alto Networks software with PAN-OS 10.0 and 10.1. We have made it easier and increased performance.
Starting with PAN-OS 10.0, TLS 1.3 decryption support has been added in all modes: Forward Proxy, Inbound inspection, Decryption mirror and Decryption broker.
This will give you complete visibility and control of TLS 1.3 traffic and leverage all Next-Gen security features.
Organizations that deploy third-party security controls as part of their overall security suite need to decrypt traffic multiple times to realize the benefits of the full security stack. Doing so introduces operational complexity, increases network latency, and negatively impacts the end-user experience.
Although other Firewall vendors offer decryption, they cannot send all the traffic to third-party security tools, creating blind spots. As a result, enterprises end up buying additional appliances such SSL decryption and dedicated packet broker appliances to decrypt, filter, and forward traffic to security tools — which increase cost and operational complexity.
With the new Network Packet Broker (which is a free), our NGFW can intelligently forward all types of traffic (e.g. TLS, decrypted TLS, and non-TLS) to third-party security tools from a single device. It allows you to optimize your network performance and maximize your existing security tools' efficacy by selectively sending only the necessary traffic to a given third-party security tool. Customers can also eliminate single-point of failures by load-balancing traffic across various appliances.
With the new software, Palo Alto Networks has also announced new hardware to help take advantage of the new software.
Introducing PA-400 Series for the Distributed Enterprise — PA-400 Series is a big performance jump from our previous generation PA-220. Up to 10x Threat+Decryption performance and up to 5x speedup on Boot up times.
* Compared to Cisco 9300 with 2 x SM-56 cards (128 Gbps NGFW)
Introducing PA-5450 for Hyperscale Datacenter & Internet Edge — 5x threat+decryption performance compared to the PA-5260. As most enterprise traffic is now encrypted, decryption inside the NGFW is a key requirement, and PA-5450 delivers massive threat + decryption performance improvements, up to 5x the threat + decryption performance on a PA-5260.
Along with that, the new DPC cards can improve decryption performance 33%.
More logs, easier to see
One of the new improvements is the addition of the new SSL Activity tab inside of the ACC. Inside of this new tab, you will be able to see the following items:
TLS version of the SSL traffic
Decryption failure reasons
With the new enhanced view in the ACC, you have the ability to drill down into Decryption related issues much easier, allowing you to get to decryption logs directly from the ACC, and audit traffic that uses any weak TLS versions or weak ciphers. This saves time—and headaches.
SSL Decryption technology page
If you didn’t already know, the LIVEcommunity has a dedicated SSL Decryption technology page.. This will be the one place in the LIVEcommunity for you to find discussions, articles, blogs, videos and resources all about SSL Decryption.