Encrypted traffic is the norm and users spend most of their time on encrypted websites and applications. The risks of not monitoring and inspecting encrypted traffic are well understood, however enabling SSL decryption is not always straightforward.
Prisma Access Cloud Management helps make managing and enabling SSL Decryption easy.
All SSL Decryption related settings can be managed from a single page on Cloud Management. This includes managing the:
SSL Decryption policies
Prisma Access supports decryption as a policy-based decision to enable you to specify traffic to decrypt by destination, source, service, or URL category. Admins have to determine which traffic they can decrypt and what cannot be decrypted due to privacy and legal concerns.
SSL Decryption profiles
Decryption profiles get associated with decryption policies. The profile defines controls for SSL protocols, certificate verification, and failure checks to help prevent traffic that uses weak algorithms or unsupported modes.
Decryption Settings (Certificates)
The firewall uses certificates and keys to decrypt traffic and enforces App-ID and security settings. There are essentially two types of certificates that we recommend.
A forward trust certificate is what is used to sign the proxy session (firewall to client) when the server is a trusted source (as validated by its certificate issuing authority). The Forward Trust CA certificate should be stored into the trusted certificate store on user endpoints.
You can use the default certificates we provide OR choose to use your enterprise PKI (recommended), in which case you will have to import the CA certificates and designate them as Forward trust certificates.
Note: You can also use Globalprotect to distribute these certificates to your endpoints.
A forward untrust certificate is used to sign the proxy session (firewall to client) when the server is an untrusted source. This helps differentiate between the two and leverage the browser’s controls over distinguishing between a trusted and untrusted site.
If using enterprise PKI, ensure that the forward untrust certificate is NOT signed by your Enterprise CA certificate as it needs to be “untrusted”.
Certain sites make use of pinned-certificates or mutual authentication - either of which makes SSL decryption by a proxy impossible. In order to ensure smooth functioning of the well-known sites that employ these techniques, we maintain a global exclusion list of sites to be excluded from SSL Decryption.
You have full control over this list which can be viewed and edited to comply with your policies.
Ready to Use
Prisma Access Cloud Management provides default decryption policies along with default profiles and certificates which can be made use of to easily enable SSL decryption by simply enabling a couple of available policies.
A default best-practice decryption policy is provided with a list of URL categories that will be decrypted in accordance with Palo Alto Networks best practices. This list is editable to meet your company policies.
A default best-practice “no-decrypt” policy is provided with a list of URL categories that are typically not decrypted for privacy and legal reasons. This list is editable to meet your company policies.
Encouraging Best Practices
The default policies and configuration provided with Prisma Access Cloud Management is in accordance with recommended best practices. You can make use of these policies as-is.
In addition to this, continuous and inline best practice assessment helps identify any configuration that is not aligned with the recommended best practices with clear instructions to help mitigate the highlighted issues.
... View more
Configuration changes are always necessary in a network, whether they are for adding new applications, allowing access to users or to create exceptions in security profiles. Prisma Access Cloud Management provides the ability for administrators to make sure that the configuration is always aligned to Palo Alto Networks recommended best practices.
The best practice assessments are available across Security policies, all security profiles and decryption policies and profiles with other ones being added often. The best practice checks are updated every 3 minutes.
Security Policies and Rulebase Checks
Best practices checks on the security policies are of two basic types: checks on individual Policy Rules themselves and checks against the rulebase. Also available is a summary page of all of the counts of policies against various types of failures and mapping those checks into CSC Controls .
Every security policy created is checked against a multitude of checks for operational, security and auditing purposes. These checks typically cover mundane things such as adding a description to a rule, and making sure any/any/allow policies are not written.
Each new tenant instantiated after March has new policies automatically created to address the rulebase checks. Customers can choose to disable or remove them, but our recommendation is to keep them, in order to have a better security posture.
Best practices are available across all security profiles. They cover best practice checks on the profiles themselves, use of failing profiles in policies and in general association of profiles to policies. CSC controls are also available for security profiles.
Decryption Policies and Profiles
From a best practices perspective, enabling decryption is a must. As you know, the entire decryption settings are on a single page in Prisma Access Cloud Management. It already has two decryption policies, disabled by default, one for decrypting traffic and one to bypass decryption. Once you provide the forward trust and forward untrust certificates, enable the policies and push the configuration to Prisma Access, you will have enabled decryption on your network. Checks for best practices including ones for policies having decryption profiles and policies not in use.
Prisma Access Cloud Management provides checks that map into CSC controls across security policies, profiles and decryption checks. CSC controls are important from an audit and compliance standpoint. They map into other standards such as NIST-OLIR and ISO 27001.
Prisma Access Cloud Management has best practices-aligned default configuration located throughout the product. It is recommended that you use that configuration in your network. However, if you need to customize the configuration, the configuration will undergo best-practices checks.
... View more
Answer: PAN-OS devices can update their own clocks (as clients passively consuming the time, not servers giving out the time) using NTPv4. Outside of time syncing PAN-OS also supports autokey and symmetric key (introduced in PAN-OS v6.1 as part of the Authenticated NTP feature).
... View more
In case of Multicast, PAN-OS syncs the mfib (multicast FIB) entries and existing sessions to the peer.
However, protocol states are NOT synced and will need to be re-learnt after failover.
... View more