Exclude Unsuitable Traffic from Data Center Decryption
Table of Contents
10.2
Expand all | Collapse all
-
- What Is a Data Center Best Practice Security Policy?
- Why Do I Need a Data Center Best Practice Security Policy?
- Data Center Best Practice Methodology
- How Do I Deploy a Data Center Best Practice Security Policy?
- How to Assess Your Data Center
-
- Create the Data Center Best Practice Antivirus Profile
- Create the Data Center Best Practice Anti-Spyware Profile
- Create the Data Center Best Practice Vulnerability Protection Profile
- Create the Data Center Best Practice File Blocking Profile
- Create the Data Center Best Practice WildFire Analysis Profile
- Use Cortex XDR Agent to Protect Data Center Endpoints
- Create Data Center Traffic Block Rules
- Order the Data Center Security Policy Rulebase
- Maintain the Data Center Best Practice Rulebase
- Use Palo Alto Networks Assessment and Review Tools
Exclude Unsuitable Traffic from Data Center Decryption
Some applications can’t be decrypted for technical reasons
and some traffic can’t be decrypted for compliance or regulatory
reasons, but only make exceptions when you must.
Two types of traffic are unsuitable for decryption:
- Traffic that breaks decryption because of technical reasons such as using client certificate authentication, a pinned certificate, or an incomplete certificate chain.
- Traffic that you choose not to decrypt.
The firewall provides a predefined SSL Decryption Exclusion list
(Device > Certificate Management > SSL Decryption Exclusion)
for commonly used sites that break decryption because of technical
reasons. You can remove predefined sites from the list by clicking
the checkbox next to the site hostname and then clicking Disable,
and you can add sites to the list. Use the Decryption Exclusion list
only for sites that break decryption for technical reasons, don’t
use it for sites that you choose not to decrypt. If decryption breaks
an important application, add it to the Decryption Exclusion list to
create an exception for the specific IP address, domain, or common
name in the certificate associated with the application. Some internal
custom applications may break if you decrypt them.
If the Decryption profile allows Unsupported Modes (sessions
with client authentication, unsupported versions, or unsupported cipher
suites), the firewall automatically adds servers and applications
that use the allowed unsupported modes to the its Local Decryption Exclusion Cache (DeviceCertificate ManagementSSL Decryption ExclusionShow Local
Exclusion Cache). When you block unsupported
modes, you increase security but you also block communication with
applications that use those modes.
If the technical reason for excluding a site from decryption
is an incomplete certificate chain, you can use the information
in the Decryption log to repair the incomplete certificate
chain so that you can allow, decrypt, and inspect the traffic.
You may choose not to decrypt traffic for reasons such as regulations
and legal compliance. For example, the European Union (EU) General
Data Protection Regulation (GDPR) will require strong protection
of all personal data for all individuals. The GDPR affects all companies,
including foreign companies, that collect or process the personal
data of EU residents. Different regulations and compliance rules
may mean that you treat the same data differently in different countries
or regions. Businesses usually can decrypt personal information
in their corporate data centers because the business owns the information.
The best practice is to decrypt as much traffic as possible so that
you can see it and apply security protection to it.
For traffic you choose not to decrypt, make sure it really is
traffic you don’t want to decrypt, and then create a policy-based exclusion that specifies
the application, user group, source and destination, URL category,
and/or service to limit each exclusion as much as possible. The
more specific the decryption exclusion, the better, so that you
don’t inadvertently exclude more traffic than necessary from decryption.