SSL Decryption

L1 Bithead

SSL Decryption

Hi guys,

Nowadays I am playing with a PA-VM (no license) and decryption policy. Basically there are many articles and that explain how Decryption policy works and how to set it up. I have checked and double checked my setting and I cannot make for instance work when I enable the Decryption. 


Here are the rules:Decryption RulesDecryption RulesSecurity RulesSecurity RulesCan you guys see any mistake on my settings?




Community Team Member

Hi @DaniloBarbosa,


Am I missing something because I don't see you allowing the facebook app in your policy which is what you're trying to achieve in your example ... correct ?  I see you only allowing ssl and web-browsing.


Also your policy order seems incorrect as you have a block all rule in front of your allow ssl and web-browsing rule as far as I see it, preventing you from ever hitting your allow rule. 


Cheers !


L1 Bithead





L7 Applicator

You will need to remove the "application-default" on that rule, because once the SSL is stripped and the underlying application is seen, it's still on port 443 which is not in the list of default ports on 'web-browsing'.


The logic may seem odd, but it follows this flow:

1. Traffic is identified as SSL when the Client Hello is seen.

2. Decryption starts here, and when the TLS handshake is completed the app-id switches from "SSL" to "Web-browsing".

3. Because the app has changed, it is re-evaluated in security policy. Since the app is web-browsing, but it's not on port 80 as defined in the app, rule 4 will be skipped.

4. The application has no matching rules, so it falls to the Interzone-default which denies the rest of that session.

L3 Networker

Hi @gwesson@DaniloBarbosa@kiwi


I think they should release an application list update, which add working port 443 for web-browsing application.


I also notice that once you decrypt traffic on 443-SSL it becomes 443-web-browsing, so policy rule that allow web-browsing on application-default will not work, because the application-default is 80.


You need to create another policy to allow web-browsing application on 443 port.


Cyber Elite


So here's the thing with what you are asking, it breaks the app-id for anyone that isn't decrypting traffic. So say for example the app-id is updated to allow tcp/443 in addition to the standard of tcp/80, for anyone that isn't decrypting traffic seeing web-browsing on tcp/443 would be a concern. 

Because of that, the guide for enabling SSL-Decryption specifically calls out the fact that you'll see web-browsing on tcp/443. As you have to actively enable SSL-Decryption, it makes sense to break things for people who are actively enabling a new feature versus breaking things for everybody else. 

L3 Networker


Thank you for the reply,


So for the users who decrypting the traffic, do we need to create custom application for web-browsing on 443?


Because with the current situation I need to create another policy rule to allow web-browsing on 443.


I think it will be better to create new application like: Secure web-browsing.


Cyber Elite


That would be more of a personal preference. If you want to build out a new application signature and create a new app-id for identifying traffic you can certaintly do so; however, with that being said most environments would bypass that and simply allow web-browsing on tcp/443 via a seperate policy. 

L1 Bithead

Hi @gwesson,


I did follow you advice and changes the service from "application-default" to "any" but it did not work. 

Here is the Any on service tab for SSL and web-browsing. 


SSL with Any on service tab.SSL with Any on service tab.Then, I enabled the rule 5 (any application) but service TCP/443. Facebook access allowed like picture below. The rule basically says, any application on port 443 (TCP) is allowed. 


HTTPS with TCP/443 service only.HTTPS with TCP/443 service only.Another interesting point, the decryption rule is enable and very simple, but the certificate that I am getting is from not the self generated by the firewall. 


Decryption ruleDecryption ruleSSL certificate for decryption ruleSSL certificate for decryption rule

The decryption rule is not working because I should see the certificate from the firewall not from facebook. But let's not discuss this issue now, let's go back to the SSL/HTTPS issue. 


My goal is create a rule that allow HTTPS (application) on its default port (443) and protocol (TCP) only, any other application on tcp/443 will be blocked or if https on any port that is not 443 will be blocked. 


I don't want a generic rule allowing TCP on port 443, that would match any application. 




L1 Bithead

Hi @SShnap

I will try that. Maybe you gave me the answer and I didn't

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!