05-12-2021 03:36 AM
I know that there are many threads here about this. We would like to show the response pages for https.
We saw this link but i have several doubts:
This command is enabled globally: "set deviceconfig setting ssl-decrypt url-proxy yes". So, is this command decrypting all SSL? or just injecting response pages? This would impact a lot in the CPU.
In order to limit the decrypt ssl for several users i understand we need to use decryption policy like usual.
what is the best way?
05-12-2021 05:15 PM
Yes, pretty much, the only way for a response page to be seen, is to enable decryption, so the FW can "see" web-browsing (application) on port 443, and then issue the response page.
It is not pretty, but it is a necessary requirement to set the expectation that end user traffic MUST be decrypted (else, how does one propose to catch PII, HIPPA, company trade secrets, credit cards, social secuirty, etc)... The FW cannot block what it cannot see. 😞
05-13-2021 05:06 PM
If you are not doing ssl decryption of the traffic and you want response page enabled then you use below command
enabled globally: "set deviceconfig setting ssl-decrypt url-proxy yes"
It will inject the response page. This will not cause Spike in CPU or actually decrypt the traffic.
05-14-2021 10:54 AM
So we need to add this command " "set deviceconfig setting ssl-decrypt url-proxy yes"" and also a decryption policy?
05-14-2021 11:55 AM
05-15-2021 02:46 AM - edited 05-15-2021 02:53 AM
OK, but this command will be to decrypt all traffic https passing the FW? what is the impact?
We are scared about showing the certificate not trusted web for everyone. Althoug we put the CA root PA certificate in browser, but like this is a global config....any way to filter by user?
05-15-2021 07:36 AM
The FW will only decrypt enough to read the URL category and provide the response page as needed. There is not complete decryption of the traffic.
That being said, I think we all should provide consistent messaging that decryption is a feature set that all customers should be researching/testing, etc.
My suggestion is to run the command, and then ONLY use your IP as a test machine, so it is not impactful to everyone. Test the feature, get comfortable with the feature, and then slowly rollout this to your network. Again, this is for getting the response page.
Once you fell comfortable, I would recommend that you research the entire Decryption function, learn what is needed, how to configure it, and continue to proceed with the feature set. As we have recently seen, there in an influx in the amount of malicious traffic inbound and laterally, due to SSL encrypted files. A better security posture is to utilize all the features. It is generally stated that 65% to 80% of the Internet is TLS encrypted. So, by not implementing an important feature set, you are really getting 20 to 35% protection of ContentID (and that does not include loss of intellectual property or sensitive data loss)
Is there any other questions/concerns we can assist with?
05-15-2021 09:57 AM
OK, but this command is applied by CLI ad its global. How can we limit the decrypt for just one user and testing purposes?
is it neccesary a decryption policy for that? im not sure if enabling anything global apply for everyone and cpu issue will happen.
05-15-2021 02:21 PM
Good Day again.
We have provided you information about resolving your issue. It will now be up to you to decide how you would like to use this information. Both myself and MP18 stated that no decryption rules are used, and minimal CPU increase.
05-16-2021 09:19 AM
With the already proposed solutions you should be good to go without a performance impact. Aso you wrote correctly, it is a global setting so if you want to be absolutely sure about what you are going to implement, then test the setup on a lab firewally. According to the knowledgebase article you also need to enable response pages ( https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFKCA0 ).
As @SteveCantwell wrote you should consider enabling the decryption feature as this will dramatically improve the security and visibility in your network.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!