How to view active ssl sessions?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to view active ssl sessions?

L4 Transporter

I am planning to bring in a new ssl decryption appliance to my current network. How can I guage the ssl throughput  on my curent PA-5020 to make decision on right size of appliance?

 

TIA

20 REPLIES 20


@Remo wrote:

I mean this new appliance cannot simply terminate all encrypted connections and forward them decrypted. This will break almost everything in my eyes. Or are you talking about inbound decryption?


 

 

Unless the firewall is "between" the appliance that is doing the decryption?  I'm fairly certain they make appliances that your "in" and "out" interfaces as far as decryption can be different.  So you can essentially pass unencrypted traffic through other appliances specifically for this reason.

@SThatipelly

Just keep in mind that I only try to help 😛

 

... but I still don't see how this should work. If this is possible by bluecoat to forward unencrypted traffic to palo and then back to bluecoat where the traffic will be reencrypted - good. But with the additional points you bring up here, specially that you still want to use the protection of your Paloalto firewall. Don't you have to place this bluecoat appliance directly behind your internet router to even have a chance for this session matching? And what about NAT: do you have NAT configured on your paloalto and if yes, how will bluecoat do a session matching with different IP addresses and ports? And to DDoS protection, I doubt that the problem is the CPU of your firewall in case of an attack, it is much more likely that your complete bandwith will be used by the attack and you will be "offline" anyway, even with an cpu on your firewall that is idle.

L7 Applicator

@Brandon_Wertz

Thanks for clarification. I also got it ... the same as the decryption broker feature of paloalto in 8.1


@SThatipelly wrote:

SSL appliance would be in-line layer 2 with firewall. It just decrypts outbound and feeds plain traffic to firewall. Firewall processes it and sends it back out through same switch which inturn connects to a router to internet. It's little complicated network architecture. I actually donot like to bring in an extra appliance for decryption sake but the performance loss and future scalability are the only issues that are holding me back from doing it on firewall itself.


If you've got the money...Might I suggest just buying a replacement 5200 series firewall?

 

Instead of buying an appliance for the sole purpose of SSL decryption.  I can all but promise you a 5220 will be cheaper than any SSL decryption appliance.

 

My company recently purchased 5220s to replace our 5060s and we paid 1/3 the cost of the original 5060s.

 

--edit--

Looks like @BPry agrees with me!!  haha

After going through all your suggestions and tonnes of online documentation,quoting we decided to go ahead with phased decrytpion. But, before doing that I am tasked with finding curernt encrypted traffic throughput. what would be the best way to figure it out?

@SThatipelly,

Not sure you are going to get a super helpful answer. The fact of the mater is it's super easy to gather the number of sessions that are active, and the number of sessions active per zone. It's a lot harder to break that down; you can get the number of decrypted sessions per zone, but once you have that number it's next to impossible to determine what traffic was actually encrytped versus what traffic was not. 

 

A very quick solution would be to utilize the 'ACC' and the 'Network Activity' tab with the 'Application Usage' widget and set an application filter to just SSL traffic for the last 15 minutes and keep track of that. This would give you a rough estimate of what your session rate looked like for encrypted traffic; but keep in mind that the firewall is able to identify certain applications regardless of the traffic being encrypted. This would only give you a very rough estimate to start with. 

  • 6549 Views
  • 20 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!