Network Security
Policy Object: Decryption Profile
Table of Contents
Expand All
|
Collapse All
Network Security Docs
Policy Object: Decryption Profile
Define traffic for your configuration to decrypt and the type of decryption you want
to perform
A decryption profile allows you to perform checks on both decrypted traffic and SSL
traffic that you choose to exclude from decryption. (If a server breaks SSL
decryption technically due to certificate pinning or other reasons, add the server to
the Decryption Exclusion list.) Depending on your needs, create Decryption profiles
to:
-
Block sessions based on certificate status, including blocking sessions with expired certificates, untrusted issuers, unknown certificate status, certificate status check timeouts, and certificate extensions.
-
Block sessions with unsupported versions and cipher suites, and that require using client authentication.
-
Block sessions if the resources to perform decryption are not available or if a hardware security module isn't available to sign certificates.
-
Define the protocol versions and key exchange, encryption, and authentication algorithms allowed for SSL Forward Proxy and SSL Inbound Inspection traffic in the SSL Protocol Settings.
Don’t weaken the main Decryption profile that you apply to most sites to accommodate
weaker sites. Instead, create one or more separate Decryption profiles for sites that
you need to support but that don’t support strong ciphers and algorithms. You can also
create different Decryption profiles for different URL categories to fine-tune security
vs. performance for traffic that contains no sensitive material; however, you should
always decrypt and inspect all the traffic you can.
After you create a decryption profile, attach it to a decryption policy rule; your
configuration then enforces the decryption profile settings on traffic that matches the
decryption security rule.
Your configuration includes a default decryption profile that you can use to enforce the
basic recommended protocol versions and cipher suites for decrypted traffic.
Avoid supporting weak protocols or algorithms because they contain known
vulnerabilities that attackers can exploit. If you must allow a weaker protocol or
algorithm to support a key partner or contractor who uses legacy systems with weak
protocols, create a separate Decryption profile for the exception and attach it to a
Decryption security rule that applies the profile only to the relevant traffic (for
example, the source IP address of the partner). Don’t allow the weak protocol for
all traffic.
Create a Decryption Profile
Create a Decryption Profile (Strata Cloud Manager)
Define traffic for your configuration to decrypt and the type of decryption you want
to perform
Follow these steps to create a decryption profile.
- Add a decryption profile.Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesDecryption, Add Profile or modify an existing decryption profile, and give the profile a descriptive Name.
- (Optional) Block and control SSL tunneled and/or inbound
traffic:Although applying a Decryption profile to decrypted traffic is optional, it's a best practice to always apply a Decryption profile to the security rules to protect your network against encrypted threats. You can’t protect yourself against threats you can’t see.Select SSL/TLS Decryption:
- Select Handshake Settings to configure the settings that control minimum and maximum protocol versions and key exchange, encryption, and authentication algorithms to enforce on decrypted SSL traffic. These settings are active when this profile is attached to decryption security rules that are set to perform either SSL Forward Proxy decryption or SSL Inbound Inspection.
- Select SSL Forward Proxy to configure the settings to verify certificates, enforce protocol versions and cipher suites, and perform failure checks on SSL decrypted traffic. These settings are active only when this profile is attached to a decryption security rule configured to perform SSL Forward Proxy decryption.
- Select SSL Inbound Inspection to configure the settings to enforce protocol versions and cipher suites and to perform failure checks on inbound SSL traffic. These settings are active only when this profile is attached to a decryption security rule that performs SSL Inbound Inspection.
- (Optional) Block and control traffic (for example, a URL category) for
which you choose to Create a Security Policy-Based Decryption
Exclusion.Although applying a Decryption profile to traffic that you choose not to decrypt is optional, it's a best practice to always apply a Decryption profile to the security rules to protect your network against sessions with expired certificates or untrusted issuers.Select No Decryption to configure the Profile for No Decryption and check the Block sessions with expired certificates and Block sessions with untrusted issuers boxes to validate certificates for traffic that is excluded from decryption. Create policy-based exclusions only for traffic that you choose not to decrypt. If a server breaks decryption for technical reasons, don’t create a Security policy-based exclusion, add the server to the SSL Decryption Exclusion list (ManageConfigurationNGFW and Prisma AccessSecurity ServicesDecryptionGlobal Decryption Exclusions).These settings are active only when the decryption profile is attached to a decryption security rule that disables decryption for certain traffic.
- Add the decryption profile when you Create a Decryption Policy
Rule.Your configuration applies the decryption profile to and enforces the profile’s settings on the traffic that matches the decryption policy rule.
- Save your configuration.
- Select Push Config to save your configuration and deploy it to your network.
Create a Decryption Profile (PAN-OS & Panorama)
Define traffic for your configuration to decrypt and the type of decryption you want
to perform
Follow these steps to create a decryption profile.
- Add a decryption profile.Select ObjectsDecryption Profile, Add or modify a decryption profile rule, and give the rule a descriptive Name.
- (Optional) Allow the profile rule to be Shared across every virtual system on a firewall or every Panorama device group.
- (Decryption Mirroring Only) Enable an Ethernet Interface for the
firewall to use to copy and forward decrypted traffic.Separate from this task, follow the steps to Configure Decryption Port Mirroring. Be aware of local privacy regulations that may prohibit mirroring or control the type of traffic that you can mirror. Decryption port mirroring requires a decryption port mirror license.
- (Optional) Block and control SSL tunneled and/or inbound
traffic:Although applying a Decryption profile to decrypted traffic is optional, it's a best practice to always apply a Decryption profile to the security rules to protect your network against encrypted threats. You can’t protect yourself against threats you can’t see.Select SSL Decryption:
- Select SSL Forward Proxy to configure the settings to verify certificates, enforce protocol versions and cipher suites, and perform failure checks on SSL decrypted traffic. These settings are active only when this profile is attached to a decryption security rule configured to perform SSL Forward Proxy decryption.
- Select SSL Inbound Inspection to configure the settings to enforce protocol versions and cipher suites and to perform failure checks on inbound SSL traffic. These settings are active only when this profile is attached to a decryption security rule that performs SSL Inbound Inspection.
- Select SSL Protocol Settings to configure the settings that control minimum and maximum protocol versions and key exchange, encryption, and authentication algorithms to enforce on decrypted SSL traffic. These settings are active when this profile is attached to decryption security rules that are set to perform either SSL Forward Proxy decryption or SSL Inbound Inspection.
If the firewall is in FIPS-CC mode and managed by a Panorama™ management server in standard mode, a decryption profile must be created locally on the firewall. Decryption profiles created on Panorama in standard mode contain references to 3DES and RC4 encryption algorithms and MD5 authentication algorithm that are not supported and cause pushes to the managed firewall to fail. - (Optional) Block and control traffic (for example, a URL category) for
which you choose to Create a Policy-Based Decryption
Exclusion.Although applying a Decryption profile to traffic that you choose not to decrypt is optional, it's a best practice to always apply a Decryption profile to the security rules to protect your network against sessions with expired certificates or untrusted issuers.Select No Decryption to configure the Profile for No Decryption and check the Block sessions with expired certificates and Block sessions with untrusted issuers boxes to validate certificates for traffic that is excluded from decryption. Create policy-based exclusions only for traffic that you choose not to decrypt. If a server breaks decryption for technical reasons, don’t create a policy-based exclusion, add the server to the SSL Decryption Exclusion list (DeviceCertificate ManagementSSL Decryption Exclusion).These settings are active only when the decryption profile is attached to a decryption security rule that disables decryption for certain traffic.
- (Optional) Block and control decrypted SSH traffic.Select SSH Proxy to configure the SSH Proxy Decryption Profile and configure settings to enforce supported protocol versions and to block sessions if system resources are not available to perform decryption.These settings are active only when the decryption profile is attached to a decryption security rule that decrypts SSH traffic.
- Add the decryption profile when you Create a Decryption Policy
Rule.The firewall applies the decryption profile to and enforces the profile’s settings on the traffic that matches the decryption security rule.
- Commit the configuration.