Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Who rated this post



All of the items in the Objects tab do not have any affect on traffic if they are not attached to Policies. This includes Decryption Profile/s.

1. So - the File Blocking (FB) Profile must be attached to a security rule.

2. I highly recommend splitting your issue into two parts, get FB working then tackle Decryption. For FB I would recommend you try to download this test file from Palo Alto as it uses the HTTP protocol hence no need for decryption, yet.

(This is an anti-virus test file, it will probably get blocked by AV software but it does not matter as all we want is for it to download or get blocked by the filewall)

If you see it blocked and logged under Monitor-> Data Filtering - it means FB is working for non-encrypted traffic. Continue to enable Decryption:


3. For Decryption you really should read the above mentioned articles and notes by @BPry as enabling it requires:

3a. Generating Decryption Certificates on the firewall, self-signed for testing or Corporate CA signed (much preferred)

3b. Having them in all computers, trusted root certificate store

3c. Creating a Decryption Policy under Policies->Decryption: for testing start with:

Source Zone Internal (or whatever you named it)

Dest Zone External (or whatever you named it)

Service: service_http + service_https

Action: Decrypt

Type: SSL Forward Proxy

Decryption Profile: is optional

3d. In some older PANOS versions you must also allow in Security rules Application=web-browsing & service=service_https (this is not the default, hence needs adding).

* This might look like easy 4 steps but trust me - it isn't.


Lastly, log into the learning center at:

Search for EDU-110, register for it for free and start watching this online training about the NGFW, but note that the training center is being moved you might be redirected to the new training site in a few days.




View solution in original post

Who rated this post