Decryption

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Decryption

Not applicable

Does the PAN still inspect secured traffic for all threats if it's not decrypting it?

7 REPLIES 7

L6 Presenter

You mean if a particular threat item isnt evaluated because the traffic happens to be ssl or ssh or similar?

I guess this would be true in order to lower number of false positivies.

On the other hand there are many threats where it doesnt matter if the payload is encrypted or not.

L4 Transporter

Hello,

If you can't decrypt, you can't do anvivirus and such , traffic will be seen as SSL application, so there not much to do ....

However the IPS will still function but of course not be able to inspect the content of the payload but be able to inspect the payload itself (for example if you have an IPS rule that says generate alert if SSLv1 handshake is seen or such).

L2 Linker

Hi guys.

thank you guys for the information. I'm now working on the ssl decryption.

:smileygrin:

Hello,

Just to add, say for example To block facebook by application in a rule , SSL decryption needs to be configured on the PAN, so that the PAN can proxy the outbound SSL sessions and get visibility into the traffic enabling it to identify the application correctly as 'facebook' and enforce app-ID based rules.

Hence, without SSL decryption the app-id in traffic logs will appear as 'ssl' for the facebook session. Once SSL decryption is configured, the app-id in monitor logs should show as 'facebook'.

A technote on how to configure SSL decryption can be found at :
https://live.paloaltonetworks.com/docs/DOC-1412

Let me know if that helps.

Regards

Parth

Didnt some appid's look in the CN part of the certs being used (or was it the url-filtering that did this?) so the PA could somewhat inspect ssl traffic even if there is no ssl termination (decryption) setup?

I think it varies by app-id signature. I've created a custom app-id that looks at the cn part of the cert.  If a match is present, then the application is called "my custom app" instead of SSL.  At that point, I can create a security rule that blocks "my custom app" while still permitting SSL. 

  • 3164 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!