on 04-21-2021 08:36 AM
Encrypted traffic is the norm and users spend most of their time on encrypted websites and applications. The risks of not monitoring and inspecting encrypted traffic are well understood, however enabling SSL decryption is not always straightforward.
Prisma Access Cloud Management helps make managing and enabling SSL Decryption easy.
All SSL Decryption related settings can be managed from a single page on Cloud Management. This includes managing the:
SSL Decryption policies
Prisma Access supports decryption as a policy-based decision to enable you to specify traffic to decrypt by destination, source, service, or URL category. Admins have to determine which traffic they can decrypt and what cannot be decrypted due to privacy and legal concerns.
SSL Decryption profiles
Decryption profiles get associated with decryption policies. The profile defines controls for SSL protocols, certificate verification, and failure checks to help prevent traffic that uses weak algorithms or unsupported modes.
Decryption Settings (Certificates)
The firewall uses certificates and keys to decrypt traffic and enforces App-ID and security settings. There are essentially two types of certificates that we recommend.
A forward trust certificate is what is used to sign the proxy session (firewall to client) when the server is a trusted source (as validated by its certificate issuing authority). The Forward Trust CA certificate should be stored into the trusted certificate store on user endpoints.
You can use the default certificates we provide OR choose to use your enterprise PKI (recommended), in which case you will have to import the CA certificates and designate them as Forward trust certificates.
Note: You can also use Globalprotect to distribute these certificates to your endpoints.
A forward untrust certificate is used to sign the proxy session (firewall to client) when the server is an untrusted source. This helps differentiate between the two and leverage the browser’s controls over distinguishing between a trusted and untrusted site.
If using enterprise PKI, ensure that the forward untrust certificate is NOT signed by your Enterprise CA certificate as it needs to be “untrusted”.
Certain sites make use of pinned-certificates or mutual authentication - either of which makes SSL decryption by a proxy impossible. In order to ensure smooth functioning of the well-known sites that employ these techniques, we maintain a global exclusion list of sites to be excluded from SSL Decryption.
You have full control over this list which can be viewed and edited to comply with your policies.
Prisma Access Cloud Management provides default decryption policies along with default profiles and certificates which can be made use of to easily enable SSL decryption by simply enabling a couple of available policies.
A default best-practice decryption policy is provided with a list of URL categories that will be decrypted in accordance with Palo Alto Networks best practices. This list is editable to meet your company policies.
A default best-practice “no-decrypt” policy is provided with a list of URL categories that are typically not decrypted for privacy and legal reasons. This list is editable to meet your company policies.
The default policies and configuration provided with Prisma Access Cloud Management is in accordance with recommended best practices. You can make use of these policies as-is.
In addition to this, continuous and inline best practice assessment helps identify any configuration that is not aligned with the recommended best practices with clear instructions to help mitigate the highlighted issues.