Is Decryption needed without URL filtering?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Is Decryption needed without URL filtering?

L3 Networker

Hello.

 

We currenly have a Palo-5050 v7.18 doing firewalling and URL filtering.

We have SSL decryption enabled.

 

Because Palo does not support transparent authentication using Chromebooks and because we do not like the Palo URL reporting, we are looking at getting rid of the URL filtering part.

 

Do we still need to have SSL decryption enabled for normal firewall apps and function?

 

If yes, does that mean we would need to have multiple SSL certs installed on our client devices:

1 for Palo SSL decyption

1 for new URL filtering product

?

 

Much thanks.

Dan

 

2 REPLIES 2

Cyber Elite
Cyber Elite

Depends on the application you are trying to catch and the need to see threats, short answer is yes you want to decrypt the traffic more than likely so leave that on. 

 

If your new URL filtering product requires SSL decrytion then it will need this as well. I imagine that in a school enviroment you are probably looking at something like a Barracuda, in which case it helps to have SSL decryption enabled and you would need the required certs to configure this correctly loaded onto the client devices. 

L4 Transporter

Hi Dannon,

 

Decryption would be better for application and threat detection. If not, we might not see the application shift which may happen after the base application is read. Decryption requires a certificate which is marked as CA and the private key should be on the firewall. You could have 2 different certificates for Palo Alto, URL filtering service. However, you could also export certificate from one device and import it into another (PA can do that, not sure about the other device).

 

Regards,

Anurag 

================================================================
ACE 7.0, 8.0, PCNSE 7
  • 2200 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!