Decryption policy options explanation required.

Reply
Highlighted
L1 Bithead

Decryption policy options explanation required.

Hello Everyone,

 

I am reading about decryption policy and have some questions in my mind, so looking for some answers.

 

1- In order to apply the decryption profile, do I need to have action set to decrypt ?

 

2- what is the advantage if I have a decrypt policy with options set to:

a) Action: No decrypt (with no profile) <-- is not it same as if it was not created !

b) Action: No decrypt (with profile) <-- if Q1 is yes

c) Action: Decrypt (with no profile) <-- In this case only useful for decrypt mirror/forwarding ? or will it go now to the other security policies to apply other possible profiles (e.g. Anti-virus, file block, data filter, etc) ?

 

 

Highlighted
L7 Applicator

hi @Xtreme

 

you will need a decryption policy before decryption will be applied to a session

 

The no-decryptpolicy is usually used to exclude a subset of oytherwise decrypted traffic (eg. decrypt everything except financial url category because it is privacy sensitive)

 

The decryption profile is used to help the firewall decide what to do if something is unusual or wrong with a certificate

 

Some certificates may not be signed by a trusted source or expired,some may be using a weak cipher (3des, md5)

The profile will help you block (or not) these connections as they should be considered as suspicious.

reaper - PANgurus.com
Find my book at https://www.amazon.com/dp/1789956374
Highlighted
Cyber Elite

@Xtreme,

Touching off of what @reaper pointed out earlier, I've never seen a firewall configured for SSL Decryption that doesn't have some sort of 'No-Decrypt' policy. Exactly for the points that reaper pointed out for categories such as Financial information, health and banking and he such. However most will also come across differerent applications or websites that won't work nicely with SSL Decryption. PA builds in a decent SSL Decryption Exclusion list to try and assist with this, however there are some services (primarly when using client certs or pinned certs for auth) that simply won't work when run through the decryption policy. 

Highlighted
L7 Applicator

@BPry, @reaper, nice info....  but can i just ask...

 

we are often adding sites to the no-decrypt rule as the site becomes unreachable. 

Am i missing something here...

Does the PA not have the option to see that it cannot be decrypted and just pas the traffic through as normal..

 

Thanks..

 

also...

 

I have tried to work out why the decryption is failing by comparing packets in wireshark, and it seems that what is being offered is available on the PA...

 

any other options for checking decrypt failures...

 

Thanks again...

Highlighted
L7 Applicator

The certificate profile has options to 'block unsupported' suites and ciphers, if you diable those options unsupported certifcates will be allowed to pass through

 

you can also add sites to the SSL Decrypt Exclusion list (device > certificate management)

 

some certificates may be pinned or have other features that are not supported

reaper - PANgurus.com
Find my book at https://www.amazon.com/dp/1789956374
Highlighted
L1 Bithead

Thanks guys. However, I want your input regarding the following statements (True or Falese):

 

1- No-Decryption action with profile exist --> this requires that certifiacate has no issue, otherwise drop connection.

2- Decrypt action with profile or without profile --> this traffic if compliant with profile (if exist) will go over the security policy to see if a match exist then other defined profiles such as anti-virus, file blocking profiles will apply to the decrypted traffic.

3-  For decrypt mirror to work correctly, I need to create decryption policy with action set to "Decrypt" and Profile with Decrypt mirror "Enabled" (regardeless of the certificate status and/or other security policies and profiles)

 

* If false what is the correct behaviour.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!