HTTPS Response pages

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

HTTPS Response pages

L4 Transporter

Hi,

 

I know that there are many threads here about this. We would like to show the response pages for https.

 

We saw this link but i have several doubts:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFKCA0

This command is enabled globally: "set deviceconfig setting ssl-decrypt url-proxy yes". So, is this command decrypting all SSL? or just injecting response pages? This would impact a lot in the CPU. 

 

In order to limit the decrypt ssl for several users i understand we need to use decryption policy like usual.

 

what is the best way?

9 REPLIES 9

Cyber Elite
Cyber Elite

Hello there.

 

Yes, pretty much, the only way for a response page to be seen, is to enable decryption, so the FW can "see" web-browsing (application) on port 443, and then issue the response page.

 

It is not pretty, but it is a necessary requirement to set the expectation that end user traffic MUST be decrypted (else, how does one propose to catch PII, HIPPA, company trade secrets, credit cards, social secuirty, etc)... The FW cannot block what it cannot see.  😞

Help the community: Like helpful comments and mark solutions

Cyber Elite
Cyber Elite

@BigPalo 

 

If you are not doing ssl decryption of the traffic and you want response page enabled then you use below command 

enabled globally: "set deviceconfig setting ssl-decrypt url-proxy yes"

 

It will inject the response page. This will not cause Spike in CPU or actually decrypt the traffic.

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

So we need to add this command " "set deviceconfig setting ssl-decrypt url-proxy yes"" and also a decryption policy?

@BigPalo 

 

You only need cli command no decryption policy.

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

OK, but this command will be to decrypt all traffic https passing the FW? what is the impact?

We are scared about showing the certificate not trusted web for everyone. Althoug we put the CA root PA certificate in browser, but like this is a global config....any way to filter by user?

The FW will only decrypt enough to read the URL category and provide the response page as needed.  There is not complete decryption of the traffic.   

 

That being said, I think we all should provide consistent messaging that decryption is a feature set that all customers should be researching/testing, etc.

 

My suggestion is to run the command, and then ONLY use your IP as a test machine, so it is not impactful to everyone.  Test the feature, get comfortable with the feature, and then slowly rollout this to your network.  Again, this is for getting the response page.

 

Once you fell comfortable, I would recommend that you research the entire Decryption function, learn what is needed, how to configure it, and continue to proceed with the feature set.  As we have recently seen, there in an influx in the amount of malicious traffic inbound and laterally, due to SSL encrypted files.  A better security posture is to utilize all the features.  It is generally stated that 65% to 80% of the Internet is TLS encrypted.  So, by not implementing an important feature set, you are really getting 20 to 35% protection of ContentID (and that does not include loss of intellectual property or sensitive data loss)

 

Is there any other questions/concerns we can assist with?

Help the community: Like helpful comments and mark solutions

OK, but this command is applied by CLI ad its global. How can we limit the decrypt for just one user and testing purposes?

is it neccesary a decryption policy for that? im not sure if enabling anything global apply for everyone and cpu issue will happen.

Good Day again.

 

We have provided you information about resolving your issue.  It will now be up to you to decide how you would like to use this information.  Both myself and MP18 stated that no decryption rules are used, and minimal CPU increase.

 

 

 

Help the community: Like helpful comments and mark solutions

L7 Applicator

Hi @BigPalo 

With the already proposed solutions you should be good to go without a performance impact. Aso you wrote correctly, it is a global setting so if you want to be absolutely sure about what you are going to implement, then test the setup on a lab firewally. According to the knowledgebase article you also need to enable response pages ( https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFKCA0 ).

As @SCantwell_IM wrote you should consider enabling the decryption feature as this will dramatically improve the security and visibility in your network.

  • 3949 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!