SSL Decryption every day more exclusions

Reply
Highlighted
L3 Networker

SSL Decryption every day more exclusions

Hi,

 

We are using a PaloAlto 3260 with PanOS 9.0.7. We have configured SSL decryption wich uses a certificate signed by our own Windows CA server. Each client in our environment has the Windows Root CA.

In the beginning (2 years ago) everything worked well. We could decrypt everything except everything in the category financial.

But now latest months it seems I need to add a lot of websites for no decryption because otherwise the employees can't visit the website. It is getting frustrated and I'm think about disabling SSL decryption, but maybe you guys know an answer or solution.

Thanks.

Highlighted
Community Team Member

Re: SSL Decryption every day more exclusions

Hi @ZEBIT ,

 

I would advise against disabling SSL decryption entirely.

 

Instead of just adding them to the no decrypt policy try figuring out why users are experiencing issues with those sites. 

Are you blocking access on some of the verifications (unsupported ciphers, versions, certificate issues, ... ) ?

 

Cheers,

-Kiwi

 

 

 

 
Highlighted
L3 Networker

Re: SSL Decryption every day more exclusions

Hi @kiwi 

I think I'm quit soft (too soft) in my policy. Here you can see screenshots of the whole policy + certficats like our partner implemented.

Capture3.PNGCapture4.PNGCapture5.PNG

 

Capture6.PNG

 

Capture7.PNGCapture.PNGCapture1.PNG

Highlighted
L4 Transporter

Re: SSL Decryption every day more exclusions

There are an increasing number of sites that use techniques that block SSL decryption. As an example, SSL pinning is used to block MITM attacks so it will keep you from accessing a site that uses it when SSL decrypt is enabled. 

The PA has a large default list of excluded sites, located in Device-Certificate Management-SSL Decryption Exclusion. We've had to add a fair number of sites to this list, including a few of the Microsoft online offerings.

I would agree that you shouldn't disable decryption globally, you'll just have to keep on top of creating exclusions when needed. I think you should also review your current policies. As you say, they are pretty soft.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!