10-07-2020 10:31 PM - edited 10-07-2020 10:37 PM
Hi
All of the items in the Objects tab do not have any affect on traffic if they are not attached to Policies. This includes Decryption Profile/s.
1. So - the File Blocking (FB) Profile must be attached to a security rule.
2. I highly recommend splitting your issue into two parts, get FB working then tackle Decryption. For FB I would recommend you try to download this test file from Palo Alto as it uses the HTTP protocol hence no need for decryption, yet.
http://wildfire.paloaltonetworks.com/publicapi/test/pe
(This is an anti-virus test file, it will probably get blocked by AV software but it does not matter as all we want is for it to download or get blocked by the filewall)
If you see it blocked and logged under Monitor-> Data Filtering - it means FB is working for non-encrypted traffic. Continue to enable Decryption:
3. For Decryption you really should read the above mentioned articles and notes by @BPry as enabling it requires:
3a. Generating Decryption Certificates on the firewall, self-signed for testing or Corporate CA signed (much preferred)
3b. Having them in all computers, trusted root certificate store
3c. Creating a Decryption Policy under Policies->Decryption: for testing start with:
Source Zone Internal (or whatever you named it)
Dest Zone External (or whatever you named it)
Service: service_http + service_https
Action: Decrypt
Type: SSL Forward Proxy
Decryption Profile: is optional
3d. In some older PANOS versions you must also allow in Security rules Application=web-browsing & service=service_https (this is not the default, hence needs adding).
* This might look like easy 4 steps but trust me - it isn't.
Lastly, log into the learning center at:
http://education.paloaltonetworks.com/learningcenter
Search for EDU-110, register for it for free and start watching this online training about the NGFW, but note that the training center is being moved you might be redirected to the new training site in a few days.
Shai
