what is the best for social-networking category ,Decrypt or no decrypt

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

what is the best for social-networking category ,Decrypt or no decrypt

L2 Linker

Dears

 

In my company ,unfortunately, allow facebook.com website

 

we note when do "SSL Decryption" for social-networking category ,There is huge utilization on CPU (Up to 85%)

 

what is the better for this case as design  : Decrypt Facebook or no decrypt ?

 

if we do "no-decrypt" ,Can palo alto to apply the policy of deny for some application on facebook such as "Facebbok-chat ,..."

 

Thanks

4 REPLIES 4

Cyber Elite
Cyber Elite

@AhmedEmam,

SSL Decryption can take a hit on smaller boxes that don't have much processing to spare; and depending on the amount of traffic you pass to Facebook you would expect to see a spike when you first start decrypting traffic. 

The firewall won't be able to reliably look into the traffic and properly identify facebook-chat instead of normal 'facebook'. This makes for a broken experiance as users will be constantly switching back and forth between a working facebook-chat and a non-working facebook-chat as the firewall is able to identify the app-id as traffic passes. 

I would personally recommend that you keep decrypting the traffic, 85% utilization is perfectly fine for the firewall. 

Thank you for your reply

 

I would  think that 85% is very high because exceed Max.= 80% 

 

But when try to implement decryption ,I note the palo alto can down the "Facebook-chat" as example and permit the facebook .

 

what is problem or (Bad desgin) if cancle decryption ?

 

Again thank you for your reply  

 

 

@AhmedEmam,

85% would be high if it's sustained, and it certainly poses a question on whether a spike in traffic would push the CPU even higher. If it's a momentary spike to 85% and it curbs off right away, I wouldn't be worried about it; if you are at a sustained 85% and spiking higher then that's an actual issue. 

Not decrypting the traffic you lose insight into what the traffic is actually doing/is. At that point there is no knowing whether the traffic is simply normal social media traffic or if a malicious attachment someone got through email is using facebook to host a malicious file masquerading as an image. Most companies also have different policies in place on different parts of Facebook; for example they might let you go to Facebook, but not chat or access any Facebook games. 

 

Whether or not you should decrypt this traffic depends on multiple things that matter in varying degrees depending on the company. 

Thank you for your reply

  • 2150 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!