no decryption policy set, wan to wan traffic decrypt is yes

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

no decryption policy set, wan to wan traffic decrypt is yes

L1 Bithead

Hi All , 

 

We did not set decryption policy
But in the threat log, it is seen that decrypt is yes, and the traffic is wan to wan.

Under what circumstances will the log of wan to wan decrypt is yes be generated?

 

thanks

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@Hsinyu,

Just to be abundantly clear, the only time that traffic is automatically decrypted by the firewall is if the traffic terminates on the firewall. So in the example of a GlobalProtect Portal/Gateway, that traffic will be decrypted automatically without anything being configured by you as the admin.

In the event that you have a device setup in your WAN/untrust zone outside of the above examples, it won't be automatically decrypted by the firewall unless you setup a decryption policy. For example if I hand a VPN concentrator off of a firewall and just place it in a WAN/untrust zone, the firewall won't automatically start decrypting that traffic.

 

That might add a bit of confusion as this isn't a common deployment that folks do, but it's important to have that distinction present. 

View solution in original post

4 REPLIES 4

L5 Sessionator

If ssl session is terminated on wan interface, for example; globalprotect portal, it will be wan2wan session and also decrypted.

Hi Emr

Want to confirm if my understanding is correct
As long as the ssl 443 session from wan to wan ends on the wan interface, it will be decrypted by default on the PA. If it is a threat, it will be blocked, right?

Is there any other possibility besides ssl .

 

thanks

yes to first part.

the action (blocked you said) depends on your configuration. If you configure it to be blocked, you are correct.

If you are pointing this decryption, this indicates ssl decryption was applied to the ssl / tls session

Image 002.png

Cyber Elite
Cyber Elite

@Hsinyu,

Just to be abundantly clear, the only time that traffic is automatically decrypted by the firewall is if the traffic terminates on the firewall. So in the example of a GlobalProtect Portal/Gateway, that traffic will be decrypted automatically without anything being configured by you as the admin.

In the event that you have a device setup in your WAN/untrust zone outside of the above examples, it won't be automatically decrypted by the firewall unless you setup a decryption policy. For example if I hand a VPN concentrator off of a firewall and just place it in a WAN/untrust zone, the firewall won't automatically start decrypting that traffic.

 

That might add a bit of confusion as this isn't a common deployment that folks do, but it's important to have that distinction present. 

  • 1 accepted solution
  • 1518 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!