This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Decryption

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Decryption

jorge
Not applicable

‎06-07-2012 12:49 PM

Does the PAN still inspect secured traffic for all threats if it's not decrypting it?

0 Likes Likes
7 REPLIES 7

mikand
L6 Presenter

‎06-07-2012 01:35 PM

You mean if a particular threat item isnt evaluated because the traffic happens to be ssl or ssh or similar?

I guess this would be true in order to lower number of false positivies.

On the other hand there are many threats where it doesnt matter if the payload is encrypted or not.

essnet
L4 Transporter

‎06-12-2012 06:03 AM

Hello,

If you can't decrypt, you can't do anvivirus and such , traffic will be seen as SSL application, so there not much to do ....

0 Likes Likes

mikand
L6 Presenter
In response to essnet

‎06-12-2012 11:29 PM

However the IPS will still function but of course not be able to inspect the content of the payload but be able to inspect the payload itself (for example if you have an IPS rule that says generate alert if SSLv1 handshake is seen or such).

HartkentlyNua
L2 Linker

‎09-30-2012 10:23 PM

Hi guys.

thank you guys for the information. I'm now working on the ssl decryption.

:smileygrin:

0 Likes Likes

ppatel
L4 Transporter
In response to HartkentlyNua

‎09-30-2012 11:45 PM

Hello,

Just to add, say for example To block facebook by application in a rule , SSL decryption needs to be configured on the PAN, so that the PAN can proxy the outbound SSL sessions and get visibility into the traffic enabling it to identify the application correctly as 'facebook' and enforce app-ID based rules.

Hence, without SSL decryption the app-id in traffic logs will appear as 'ssl' for the facebook session. Once SSL decryption is configured, the app-id in monitor logs should show as 'facebook'.

A technote on how to configure SSL decryption can be found at :
https://live.paloaltonetworks.com/docs/DOC-1412

Let me know if that helps.

Regards

Parth

mikand
L6 Presenter
In response to ppatel

‎10-01-2012 12:45 PM

Didnt some appid's look in the CN part of the certs being used (or was it the url-filtering that did this?) so the PA could somewhat inspect ssl traffic even if there is no ssl termination (decryption) setup?

0 Likes Likes

jvalentine
L7 Applicator
In response to mikand

‎10-01-2012 01:27 PM

I think it varies by app-id signature. I've created a custom app-id that looks at the cn part of the cert.  If a match is present, then the application is called "my custom app" instead of SSL.  At that point, I can create a security rule that blocks "my custom app" while still permitting SSL. 

  • 3578 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks