Decryption

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
jorge
Not applicable

Decryption

Does the PAN still inspect secured traffic for all threats if it's not decrypting it?

mikand
L6 Presenter

You mean if a particular threat item isnt evaluated because the traffic happens to be ssl or ssh or similar?

I guess this would be true in order to lower number of false positivies.

On the other hand there are many threats where it doesnt matter if the payload is encrypted or not.

essnet
L4 Transporter

Hello,

If you can't decrypt, you can't do anvivirus and such , traffic will be seen as SSL application, so there not much to do ....

mikand
L6 Presenter

However the IPS will still function but of course not be able to inspect the content of the payload but be able to inspect the payload itself (for example if you have an IPS rule that says generate alert if SSLv1 handshake is seen or such).

HartkentlyNua
L2 Linker

Hi guys.

thank you guys for the information. I'm now working on the ssl decryption.

:smileygrin:

ppatel
L4 Transporter

Hello,

Just to add, say for example To block facebook by application in a rule , SSL decryption needs to be configured on the PAN, so that the PAN can proxy the outbound SSL sessions and get visibility into the traffic enabling it to identify the application correctly as 'facebook' and enforce app-ID based rules.

Hence, without SSL decryption the app-id in traffic logs will appear as 'ssl' for the facebook session. Once SSL decryption is configured, the app-id in monitor logs should show as 'facebook'.

A technote on how to configure SSL decryption can be found at :
https://live.paloaltonetworks.com/docs/DOC-1412

Let me know if that helps.

Regards

Parth

mikand
L6 Presenter

Didnt some appid's look in the CN part of the certs being used (or was it the url-filtering that did this?) so the PA could somewhat inspect ssl traffic even if there is no ssl termination (decryption) setup?

jvalentine
L7 Applicator

I think it varies by app-id signature. I've created a custom app-id that looks at the cn part of the cert.  If a match is present, then the application is called "my custom app" instead of SSL.  At that point, I can create a security rule that blocks "my custom app" while still permitting SSL. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!