This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Looking to get started with SSL Decryption

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.

Looking to get started with SSL Decryption

Go to solution
wrainwater
L2 Linker

‎11-03-2017 06:35 PM

I'm currently reading articles on this site on how to set this up. I was hoping someone could point me to a guide or tell me a very basic test set up for this feature on the P.A. Thanks in advanced.
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
BenLassila
L3 Networker

‎11-04-2017 08:36 AM

You probably want to intercept outbound browsing. Device > Certificates > Generate > Tick Certificate Authority ... make a certificate Edit your certificate and tick Forward Trust Certificate Tick your certificate and select Export Certificate. Do not export private key. Store file locally and open it on your desktop. Install Certificate Place it to your Trusted Root Certification Authorities store. Policies > Decryption Add your decryption rule > Make it match your traffic > Options > Action: Decrypt, Type: SSL Forward Proxy > New Decryption Profile (anything works) Commit There are a few more things you can do optionally (e.g. untrust certificate), but this gets you started.

View solution in original post

6 REPLIES 6

Go to solution
BenLassila
L3 Networker

‎11-04-2017 08:36 AM

You probably want to intercept outbound browsing. Device > Certificates > Generate > Tick Certificate Authority ... make a certificate Edit your certificate and tick Forward Trust Certificate Tick your certificate and select Export Certificate. Do not export private key. Store file locally and open it on your desktop. Install Certificate Place it to your Trusted Root Certification Authorities store. Policies > Decryption Add your decryption rule > Make it match your traffic > Options > Action: Decrypt, Type: SSL Forward Proxy > New Decryption Profile (anything works) Commit There are a few more things you can do optionally (e.g. untrust certificate), but this gets you started.

Go to solution
wrainwater
L2 Linker
In response to BenLassila

‎11-04-2017 12:59 PM - edited ‎11-04-2017 01:05 PM

Thanks. That was very easy to follow. I'll give it a try. I'll repost here if I'm unsuccessful.

0 Likes Likes

Go to solution
Mick_Ball
L7 Applicator
In response to wrainwater

‎11-05-2017 01:13 AM

Nicely explained @BenLassila. The next thing i would do is to create a new “no decrypt” policy pointing to a no decrypt “url category”.

 

any sites that fail due to decryption attempts can simply be added to the new category.

 

it maybe something I’m doing wrong but this category for me is ever increasing.

 

i have noticed several posts regarding similar issues.

 

 

Go to solution
BenLassila
L3 Networker
In response to Mick_Ball

‎11-05-2017 01:40 AM

In the earlier versions of PanOS for large scale corporate deployments I had to manually add a number of lesser-known Trusted Root certificates. This has got a lot better with PanOS 7.1 and up. In the newest versions of PanOS you have a pre-populated "SSL Decryption Exclusion" list under Device > Certificate Management, which may be used as alternative to your no-decrypt list.

 

Depending on your risk appetite you can also just allow decrypt errors to be allowed in future attempts. This is set in the Decryption Profile. The failed URL in question then enters a list in memory for which the firewall won't try decrypt again. Your problem could forever go away with the right setting, except that you have less visibility or control over where SSL Decryption is failing.

 

Hope this helps

Go to solution
Mick_Ball
L7 Applicator
In response to BenLassila

‎11-05-2017 02:03 AM

@BenLassila... noted. Many thanks.

we do already use the pre populated list. I should have been more specific in saying that we have a no decrypt site specific rule for the sites outside of the pre defined.

 

i have pretty much configured as you suggested but still get sites that fail on decrypt attempts and have to be added to my extra no decrypt policy.

 

i will check settings on monday. Dont want to move away to much from the original post.

 

thanks again for your time.

Go to solution
wrainwater
L2 Linker
In response to Mick_Ball

‎11-05-2017 10:20 AM

Reading your experiences is teaching me something about the SSL decryption in the firewall. Diverge from the original as much as you want.

0 Likes Likes
  • 1 accepted solution
  • 5214 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks