How to view active ssl sessions?

Reply
L4 Transporter

How to view active ssl sessions?

I am planning to bring in a new ssl decryption appliance to my current network. How can I guage the ssl throughput  on my curent PA-5020 to make decision on right size of appliance?

 

TIA

Cyber Elite

Well the public specs are around 2Gb of capacity through the appliance when doing features other than App-ID. 

 

Are you going to be putting this appliance before or after the FW?  You're wanting it to have the same SSL performance capabilities as your 5020?

 

L4 Transporter

This appliance will be in-line(Probably layer-2) with firewall. Yes, we want same ssl performance as on firewall. Before making any decisions on product, I want to guage our ssl throughput because we hardly touch 150Mbps(Total) throughput at any point.

Cyber Elite

Can I ask why you're wanting to get a separate SSL appliance?  The firewall can SSL decrypt redirect (mirror) native on the appliance.

 

I admit I don't know how to get you exactly what you're looking for.  Are you wanting decrypted SSL or just general SSL throughput?  You should easily be able to use ACC to get general SSL throughput but getting a "bps" decrypted throughput will probably be challenging. 

 

It might be safer getting an appliance that can do 1Gbps of decrypted SSL.  That way you had plenty of headway and don't need to revisit this topic in the future.

L4 Transporter

I am very comfortable doing decryption on firewall but I learnt there would be a significant performance loss if done.

https://www.nsslabs.com/linkservid/13C7BD87-5056-9046-93FB736663C0B07A/

So, we want to deploy a dedicated appliance. Not sure about sizing. So, I am struggling to get the numbers right.

Cyber Elite

@SThatipelly,

I would attempt to get a current report if you are making your purchasing decisions off of this report. Palo Alto has made a number of performance enhancements since 2013 that make anything your looking at in this report outdated.  

Cyber Elite


@SThatipelly wrote:

I am very comfortable doing decryption on firewall but I learnt there would be a significant performance loss if done.

https://www.nsslabs.com/linkservid/13C7BD87-5056-9046-93FB736663C0B07A/

So, we want to deploy a dedicated appliance. Not sure about sizing. So, I am struggling to get the numbers right.


 

 

To add on to what @BPry said if you're going to off-load SSL interception you're going to lose some pretty critical capabilities to protect your network on the firewall.  Proper URL filtering enforcement as well as application controls need SSL decryption.

L4 Transporter

SSL offloading will be done before firewall and plain traffic is fed to firewall. I donot anticipate any lose of visibility. Please correct me if I am wrong.

Cyber Elite

If you're going to give the firewall a decrypted view of the traffic then it shouldn't be a problem; but like @BPry said the SSL performance specs of the firewalls / PAN-OS 8.X code has been greatly improved.  

 

I wouldn't base the assumption that you're going to have a performance hit solely based on a 5 year old report.

Cyber Elite

May I add something here: The connections will not be "slower" with decryption enabled, but the maximum throughput decreases dramatically on PA-5000 series hardware. It is true that there are major improvements with PAN-OS 8.X but only in software ... the hardware remains the same. I don't know exactly about PA-5020 but with a PA-5050 the hardware reaches its limits at a max of 300 Mbit/s of decrypted traffic.

The major problem is that the hardware is already "old" and since then there where major improvements about the used encryption algorithms in the internet and for all these new algorithms the chips aren't really made specifically. So with this hardware (PA-5020) this report could still be true or even worse because of the mentionned algorithms.

 

But back to topic. @SThatipelly how are you going to configure everything like you proposed and still maintain the visibility on your PA firewall? Only in TAP mode? Because without that I don't get how the PA would see and actively process the unencrypted traffic. I mean this new appliance cannot simply terminate all encrypted connections and forward them decrypted. This will break almost everything in my eyes. Or are you talking about inbound decryption?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!