How to view active ssl sessions?

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
BPry
Cyber Elite

@SThatipelly,

If you are stuck on going with an additional appliance, which I'll reiterate that I personally believe is a waste of resources at this point (esspecailly given your stated max bandwidth); make sure that the appliance that you purchase is actually capable of handing the firewall unencrypted traffic. 

The vast majority of decryption appliances are not going to pass unencrypted traffic. It will decrypt the traffic and re-encrypt it with its own certificate as it keeps track of what that traffic actually looks like in it's unencrypted format. This means that the Palo Alto will once again still be looking at encrypted traffic. 

 

What I highly recommend doing is setting up a test with what you already have (the 5020) and seeing if you actually see any noticable performance hits. If you are only processing max 150Mbps total throughput you aren't going to notice anything with SSL-Decryption enabled directly on the firewall. 

If after this test you still feel the need to install an additional appliance then do so, just make sure that it actually can pass unencrypted traffic to the firewall. 

SThatipelly
L4 Transporter

SSL appliance would be in-line layer 2 with firewall. It just decrypts outbound and feeds plain traffic to firewall. Firewall processes it and sends it back out through same switch which inturn connects to a router to internet. It's little complicated network architecture. I actually donot like to bring in an extra appliance for decryption sake but the performance loss and future scalability are the only issues that are holding me back from doing it on firewall itself.

SThatipelly
L4 Transporter

Bluecoat for eg decrypts the traffic and feeds plain traffic to inline active devices like firewall. The problem here is the firewall is already in production and cannot risk any performance drops since this is the critical node. I may have to talk to palo to see what performance loss can be anticipated with my peak traffic rate decryption.

BPry
Cyber Elite

@SThatipelly,

I'm not seeing anywhere in this plan where the appliance would take the traffic again to actually re-encrypt the session, so the plan is to simply send it out the router in an unencrypted format? That might need some additional design thought unless I'm simply just misunderstanding what is planned. 

If you are looking at a Bluecoat appliance wouldn't it be cheaper to simply upgrade to a newer firewall that wouldn't have any issue at all doing the decryption? Bluecoat gets expensive really quickly. I would likely look into Zscaler if an upgrade to a 5220 isn't available. At least with Zscaler you don't really have an appliance to worry about and the costs are relatively resonable; then you can cancel when you actually get the approval to right-size your firewall with an upgrade. 

SThatipelly
L4 Transporter

@BPry 

Bluecoat acts like a switch,so as soon as it receives traffic from firewall,if it matches exisiting session it gets reencrytped. 

My concern with using up good amount of CPU on firewall is it may make firewall less resistant to some attacks like DDOS where packet handling capacity would be drastically be reduced. 

I am simply planning these with future scalability in mind. Thank you all for your responses. These will definitely help me in decision making.

Brandon_Wertz
Cyber Elite


@vsys_remo wrote:

I mean this new appliance cannot simply terminate all encrypted connections and forward them decrypted. This will break almost everything in my eyes. Or are you talking about inbound decryption?


 

 

Unless the firewall is "between" the appliance that is doing the decryption?  I'm fairly certain they make appliances that your "in" and "out" interfaces as far as decryption can be different.  So you can essentially pass unencrypted traffic through other appliances specifically for this reason.

vsys_remo
Cyber Elite

@SThatipelly

Just keep in mind that I only try to help :P

 

... but I still don't see how this should work. If this is possible by bluecoat to forward unencrypted traffic to palo and then back to bluecoat where the traffic will be reencrypted - good. But with the additional points you bring up here, specially that you still want to use the protection of your Paloalto firewall. Don't you have to place this bluecoat appliance directly behind your internet router to even have a chance for this session matching? And what about NAT: do you have NAT configured on your paloalto and if yes, how will bluecoat do a session matching with different IP addresses and ports? And to DDoS protection, I doubt that the problem is the CPU of your firewall in case of an attack, it is much more likely that your complete bandwith will be used by the attack and you will be "offline" anyway, even with an cpu on your firewall that is idle.

vsys_remo
Cyber Elite

@Brandon_Wertz

Thanks for clarification. I also got it ... the same as the decryption broker feature of paloalto in 8.1

Brandon_Wertz
Cyber Elite


@SThatipelly wrote:

SSL appliance would be in-line layer 2 with firewall. It just decrypts outbound and feeds plain traffic to firewall. Firewall processes it and sends it back out through same switch which inturn connects to a router to internet. It's little complicated network architecture. I actually donot like to bring in an extra appliance for decryption sake but the performance loss and future scalability are the only issues that are holding me back from doing it on firewall itself.


If you've got the money...Might I suggest just buying a replacement 5200 series firewall?

 

Instead of buying an appliance for the sole purpose of SSL decryption.  I can all but promise you a 5220 will be cheaper than any SSL decryption appliance.

 

My company recently purchased 5220s to replace our 5060s and we paid 1/3 the cost of the original 5060s.

 

--edit--

Looks like @BPry agrees with me!!  haha

SThatipelly
L4 Transporter

After going through all your suggestions and tonnes of online documentation,quoting we decided to go ahead with phased decrytpion. But, before doing that I am tasked with finding curernt encrypted traffic throughput. what would be the best way to figure it out?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!