SSL Forward Decryption - Understanding Override

Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL Forward Decryption - Understanding Override

L4 Transporter

I'm looking at the pros and cons of enabling forward decryption.  I noticed there's an "Are you happy to continue" over-ride option but it's global i.e. it's simply on or off.

I assume this won't play nice with any non-browser based https downloads?

Also I couldn't work out if you say "yes" what constitutes a session, for example I went to and got prompted, to which I said to continue, but I thought if I went to in a different browser, or to in either browser that I would be prompted again as it's a different site/cert etc.

Also can I clarify exactly what forward decryption does - I presume it allows inspection for viruses, malware and threats as well as the ACC showing less "SSL" and more applications as the PAN is able to work out that it's gmail, facebook and so on?



L3 Networker

SSL (https) is not only used to keep traffic secure from sniffing / routing errors on the internet but also a way for malware (spyware, virus and stuff) to avoid being detected by an antivirus engine (until it reaches the victim) since the traffic is encrypted when it passes the firewall.

When you enable forward decryption the PAN unit will act as a man in the middle attack by decrypting the ssl-session, investigate the traffic (be able to find out which app is used, scan for vulns, scan for virus, scan for spyware etc) and then encrypt it again and send it to the client (if the policy says to allow the traffic). In order to do this in silence the client must have the ca.crt which the PAN unit will use to encrypt the ssl between itself and the client (otherwise the client will get an error that the cert is issued by a ca which is not trusted).

If you want to protect your net you can enable forward decryption for all outbound traffic (NOTE: do NOT enable it for the PAN unit itself otherwise the managementplane will become instable 😃 which means that ssl stuff that cannot deal with a custom ca.crt will simply be blocked (that is block traffic that you cannot inspect but this depends on the usage of the PAN unit and company policy surrounding the nets involved).

The downside is that this MITM attack doesnt work if the client already have stored the cert which the server will use (since the certs will no longer match). This is the case for windowsupdate for example which means that you need to setup a "app: ms-update" + destination of windowsupdate servers as "no decrypt" rule before your "forward decrypt" rule in SSL Decryption settings.



from trust to untrust

source: any

destination: * (etc)

app: ms-update

action: nodecrypt


from trust to untrust

source: any

destination: any

app: any

action: forward decrypt

In the above case you must decide if you want to allow traffic from windowsupdate servers to be unscanned (but allowed for the client) or block this traffic all together (by simply just delete/disable "rule1" above).

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!