SSL Decryption

Reply
Highlighted
L4 Transporter

SSL Decryption

I have never configured any type of SSL decryption so how do I check for it, what all can be configured to use it and is there decryption that occurs by default with no configuration

Highlighted
L4 Transporter

Re: SSL Decryption

SSL decryption is used to better observe the traffic going through the firewall. It's not enabled by default. You can tell if it's in use by looking at a certificate of a site and seeing that it's secured by the forward proxy cert defined on the firewall. The forward cert must be issued by an authority that all the endpoints trust or you'll get warnings.

There are articles in the KB about it, how to configure, the traffic flow, what to exempt from decryption. Have you looked through those?

Highlighted
Cyber Elite

Re: SSL Decryption

Hello,

Here are a few links that should help out.

Configuring SSL Decryption:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC

 

Implementing:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEZCA0

 

Troubleshooting:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgHCAS

 

What I dis was apply it only to one user, me. Then from there slowly added additional users. I also am using user-id so I can do it by AD groups.

 

Hope that helps.

Highlighted
L4 Transporter

Re: SSL Decryption

@OtakarKlier @rmfalconer 

Yes I had looked at both of those and wasn't sure if they were still applicable since the os described is 6.1. The reason I asked is because I did not configure decryption and I checked and saw there was none configured on the firewall. I did not know if decryption occurs by default on some traffic like URL and globalprotect traffic, because when I check the traffic logs it does show some decrypted traffic. I have also been trying to hunt down some high CPU percentages on the dataplane and am having a hard time pinpointed the cause. TAC said it might be due to decryption of URL traffic but I can't find anything to confirm it.

Highlighted
Cyber Elite

Re: SSL Decryption

@jdprovine,

The GlobalProtect traffic will show as decrypted because it terminates directly on the firewall. If you don't have anything configured in the Decryption rule base you shouldn't have any additional decryption happening however. 

Highlighted
L4 Transporter

Re: SSL Decryption

@BPry 

that is what I thought ,but the dataplane CPU has been running high and spiking at 100% so I sent in a support file with the ticket I opened and then TAC said it was spiking due to decryption but I was sure I didn't have decryption configured and I don't. then I noticed there was some decrypted traffic for the globalprotect client which makes sense but we have 30-40 tops users at any given time on GP and have been running that way a over a month before I saw the CPU spikes. We have had spikes in the past but not like we do now and the overall dataplane CPU has increased from less than 10% to 50-60% since May 13th and i can't find the cause so I opened a tac ticket and they have gotten no where

 

Highlighted
Cyber Elite

Re: SSL Decryption

@jdprovine,

Do you have a baseline to actually compare to if you start collecting traffic patterns or gathering net flow data? Now knowing what platform we're talking about I can't say if that would be expected or not. I would be really shocked though if the GlobalProtect traffic was causing that much of an increase unless we're talking about a really old smaller platform.

It's more likely that the traffic you are seeing lately is simply different (like a lot of SMB traffic that you wouldn't normally see, or something like that) which you could maybe look at simply by running traffic reports if your logs go back to a "normal" time period or not. This is where it'll get pretty tricky to troubleshoot if you don't know what your "normal" traffic load actually looked like. 

Highlighted
L4 Transporter

Re: SSL Decryption

@BPry 

Yes i keep very close eye on my PA and usually the dataplane runs well below 10% and closer to 5% or below. Its a PA 3050 on OS 8.0.16 which I am in the works to upgrade to 9 once the apocalypse ends. I don't think it is the globalprotect traffic and I think your right that smb traffic may be the culprit but I am having a hard time finding the exact cause. Maybe it has to do with the way that the users are now accessing our file server I am not sure. I have spent alot of time looking at logs, at the ACC and I have a TAC ticket open.

There are times when things look normal, like first thing this morning the DP was only 3%, it has now climbed to 33% and will soon be at 60% way higher than the norm and has been on this consistent trend upward since May 12 2020. If you know of anything else I should look at let me know

Highlighted
L4 Transporter

Re: SSL Decryption

@BPry 

TAC identified alot of fragmented traffic that is getting piled up in the ctd_pkt_queue and driving the DP CPU up high, I think it might be a user using open-vpn and going up to as high as 65Gb of traffic. Is there a way to verify that for sure and if its not that is there a way to deal with fragmented traffic

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!