Enabling Decryption with Prisma Access Cloud Management

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Audit
Last Reviewed: 08-27-2023 08:25 PM
Audited By: JayGolf
L3 Networker
0% helpful (0/1)

Encrypted traffic is the norm and users spend most of their time on encrypted websites and applications. The risks of not monitoring and inspecting encrypted traffic are well understood, however enabling SSL decryption is not always straightforward. 

 

Prisma Access Cloud Management helps make managing and enabling SSL Decryption easy.

 

Centralized Settings

All SSL Decryption related settings can be managed from a single page on Cloud Management. This includes managing the:

 

SSL Decryption policies

Prisma Access supports decryption as a policy-based decision to enable you to specify traffic to decrypt by destination, source, service, or URL category. Admins have to determine which traffic they can decrypt and what cannot be decrypted due to privacy and legal concerns.

 

dhshah_0-1617953250611.png

 



SSL Decryption profiles

Decryption profiles get associated with decryption policies. The profile defines controls for SSL protocols, certificate verification, and failure checks to help prevent traffic that uses weak algorithms or unsupported modes.

 

dhshah_1-1617953250631.png

 

 

Decryption Settings (Certificates)

The firewall uses certificates and keys to decrypt traffic and enforces App-ID and security settings. There are essentially two types of certificates that we recommend. 

 

dhshah_2-1617953250620.png

 

 

A forward trust certificate is what is used to sign the proxy session (firewall to client) when the server is a trusted source (as validated by its certificate issuing authority). The Forward Trust CA certificate should be stored into the trusted certificate store on user endpoints.

 

You can use the default certificates we provide OR choose to use your enterprise PKI (recommended), in which case you will have to import the CA certificates and designate them as Forward trust certificates.

 

Note: You can also use Globalprotect to distribute these certificates to your endpoints. 

dhshah_3-1617953250534.png

 



A forward untrust certificate is used to sign the proxy session (firewall to client) when the server is an untrusted source. This helps differentiate between the two and leverage the browser’s controls over distinguishing between a trusted and untrusted site.

 

If using enterprise PKI, ensure that the forward untrust certificate is NOT signed by your Enterprise CA certificate as it needs to be “untrusted”. 



Decryption Exclusions

Certain sites make use of pinned-certificates or mutual authentication - either of which makes SSL decryption by a proxy impossible. In order to ensure smooth functioning of the well-known sites that employ these techniques, we maintain a global exclusion list of sites to be excluded from SSL Decryption.

 

dhshah_4-1617953250560.png

 

 

You have full control over this list which can be viewed and edited to comply with your policies. 

 

Ready to Use

Prisma Access Cloud Management provides default decryption policies along with default profiles and certificates which can be made use of to easily enable SSL decryption by simply enabling a couple of available policies. 

 

A default best-practice decryption policy is provided with a list of URL categories that will be decrypted in accordance with Palo Alto Networks best practices. This list is editable to meet your company policies. 

 

dhshah_5-1617953250586.png

 

 

A default best-practice “no-decrypt” policy is provided with a list of URL categories that are typically not decrypted for privacy and legal reasons. This list is editable to meet your company policies. 

 

Encouraging Best Practices

 

The default policies and configuration provided with Prisma Access Cloud Management is in accordance with recommended best practices. You can make use of these policies as-is.

 

In addition to this, continuous and inline best practice assessment helps identify any configuration that is not aligned with the recommended best practices with clear instructions to help mitigate the highlighted issues.

 

dhshah_6-1617953250599.png

 

 

Rate this article:
(1)
Comments
L0 Member

How do we put it inline with traffic so it's being used ?

 

L0 Member

Would be beneficial to show the configuration and use of PKI certs vs the autogenerated signed certs.  The order of operation is not documented well.

  • 13290 Views
  • 2 comments
  • 1 Likes
Register or Sign-in
Contributors
Article Dashboard
Version history
Last Updated:
‎04-21-2021 08:36 AM
Updated by: