SSL Decryption every day more exclusions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL Decryption every day more exclusions

L3 Networker

Hi,

 

We are using a PaloAlto 3260 with PanOS 9.0.7. We have configured SSL decryption wich uses a certificate signed by our own Windows CA server. Each client in our environment has the Windows Root CA.

In the beginning (2 years ago) everything worked well. We could decrypt everything except everything in the category financial.

But now latest months it seems I need to add a lot of websites for no decryption because otherwise the employees can't visit the website. It is getting frustrated and I'm think about disabling SSL decryption, but maybe you guys know an answer or solution.

Thanks.

3 REPLIES 3

Community Team Member

Hi @ZEBIT ,

 

I would advise against disabling SSL decryption entirely.

 

Instead of just adding them to the no decrypt policy try figuring out why users are experiencing issues with those sites. 

Are you blocking access on some of the verifications (unsupported ciphers, versions, certificate issues, ... ) ?

 

Cheers,

-Kiwi

 

 

 

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi @kiwi 

I think I'm quit soft (too soft) in my policy. Here you can see screenshots of the whole policy + certficats like our partner implemented.

Capture3.PNGCapture4.PNGCapture5.PNG

 

Capture6.PNG

 

Capture7.PNGCapture.PNGCapture1.PNG

There are an increasing number of sites that use techniques that block SSL decryption. As an example, SSL pinning is used to block MITM attacks so it will keep you from accessing a site that uses it when SSL decrypt is enabled. 

The PA has a large default list of excluded sites, located in Device-Certificate Management-SSL Decryption Exclusion. We've had to add a fair number of sites to this list, including a few of the Microsoft online offerings.

I would agree that you shouldn't disable decryption globally, you'll just have to keep on top of creating exclusions when needed. I think you should also review your current policies. As you say, they are pretty soft.

  • 2527 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!