This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

ssl decryption best practices?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

ssl decryption best practices?

networkadmin
L4 Transporter

‎10-15-2010 01:01 PM

I'd like to look at implementing it but I'm wary of all the potential caveats i.e. applications that don't play nice, and machines that are non-windows or non-domain so wouldn't get a trusted CA via Group Policy.

I've read the guides so know how to do it and what the suggested categories are to exclude, but I'd be grateful for any real-world feedback from those of you who have done this.

Also if you have custom URL categories and have a site in one of those, which takes preference in the SSL decryption rules i.e. if www.domain.com is in both "auctions" and "corp whitelist" and a decryption policy is defined to exclude "auctions" what happens?

Thanks.

1 person had this problem.
0 Likes Likes
3 REPLIES 3

ggutierrez
L3 Networker

‎10-18-2010 04:53 PM

The categories decrypted would depend on your local preference. As far as the example with the www.domain.com, it would depend on the orfer of the rule. Rules are looked at from top to bottom.

0 Likes Likes

networkadmin
L4 Transporter
In response to ggutierrez

‎10-19-2010 10:02 AM

Thanks, but that isn't really what I was getting at.  I wondered from other peoples experimentation if there were any "definitely don't try and decrypt XYZ" scenarios.  For example I read about Microsoft Update not working.

0 Likes Likes

pnotpub
L1 Bithead
In response to networkadmin

‎10-20-2010 01:28 AM

Hello

Cases where SSL decrypt may cause issues:

The example in "Dual ISP Branch Office Configuration" does not work well together with SSl decrypt.


Applications outside the  web browser may not read trusted CA's the same way as your web browser.
Bloomberg is one example.


BlackBerry  /BES  server may also require additional configuration steps.


If you use the web categories from Brightcloud in your SSL Decrypt rules and your users go to a lot of non-US web sites,

expect to get to know BrightClods "Suggest a new category".

Regards Paul M.

  • 4328 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks