: Work With Decryption (APIs)
Focus
Focus

Work With Decryption (APIs)

Table of Contents
End-of-Life (EoL)

Work With Decryption (APIs)

Automate the workflow to create decryption rules, add them to Security decryption policy rules, and push them to devices.
Use the REST API to automate the workflow when you set up decryption policy rules for your firewalls. This example shows how to create a decryption profile and a decryption forwarding profile and then to include both in a decryption policy rule. With decryption policy rules, you can decrypt traffic and send decryption logs to support private analysis where third-party security appliances can add additional enforcement for traffic that the firewall should allow. You must have a Network Packet Broker license for this example. Review How Network Packet Broker Works for more information about decryption forwarding and creating a security chain,.
This example describes setting up a Layer 3 security chain to forward decrypted SSL traffic (see Layer 3 Security Chain Guidelines).
  1. Configure two Layer 3 interfaces over which to forward decrypted traffic.
    This following POST request configures the Ethernet interface ethernet1/6 with decryption forwarding for use as a dedicate interface for decrypted traffic.
    curl -X POST 'https://10.55.152.39/restapi/v11.0/Network/EthernetInterfaces?name=ethernet1/6' -H 'X-PAN-KEY: *******' -d '{ "entry": { "@name": "ethernet1/6", "layer3": { "decrypt-forward": "yes", "lldp": { "enable": "no" }, "ndp-proxy": { "enabled": "no" } } } }'
    The resulting success message:
    { "@code": "20", "@status": "success", "msg": "command succeeded" }
  2. Create a virtual router to enable decryption port forwarding.
    The following POST requests uses two Ethernet interfaces dedicated to decryption: ethernet1/5 and ethernet1/6. The virtual router must be dedicated to the decryption forwarding interfaces to ensure that the clear text sessions that the firewall forwards for additional analysis are completely separated from dataplane traffic.
    curl -X POST 'https://10.55.152.39/restapi/v11.0/Network/VirtualRouters?name=decrypttest' -H 'X-PAN-KEY: *******’ -d ' { "entry": { "@name": "decrypttest", "ecmp": { "algorithm": { "ip-modulo": {} } }, "interface": { "member": [ "ethernet1/5", "ethernet1/6" ] }, "protocol": { "bgp": { "enable": "no", "routing-options": { "graceful-restart": { "enable": "yes" } } }, "ospf": { "enable": "no" }, "ospfv3": { "enable": "no" }, "rip": { "enable": "no" } } } }'
    The resulting success message:
    { "@code": "20", "@status": "success", "msg": "command succeeded" }
  3. Create a Decryption Profile.
    The following POST request creates a decryption profile that defines the traffic and settings for blocking and allowing traffic in a decryption policy rule. For information on each of the options available for configuration, review how to Define Traffic to Decrypt.
    curl -X POST 'https://10.55.152.39/restapi/v11.0/Objects/DecyptionProfiles?name=jl-test&location=vsys&=vsys1&input-format=json' -h 'X-PAN-KEY: ******' -d '{ "entry": { "@name": "decryptProfileTest", "ssh-proxy": { "block-if-no-resource": "no", "block-ssh-errors": "no", "block-unsupported-alg": "no", "block-unsupported-version": "no" }, "ssl-forward-proxy": { "auto-include-altname": "no", "block-client-cert": "no", "block-expired-certificate": "no", "block-if-no-resource": "no", "block-timeout-cert": "no", "block-tls13-downgrade-no-resource": "no", "block-unknown-cert": "no", "block-unsupported-cipher": "no", "block-unsupported-version": "no", "block-untrusted-issuer": "no", "restrict-cert-exts": "no", "strip-alpn": "no" }, "ssl-inbound-proxy": { "block-if-no-resource": "no", "block-tls13-downgrade-no-resource": "no", "block-unsupported-cipher": "no", "block-unsupported-version": "no" }, "ssl-no-proxy": { "block-expired-certificate": "no", "block-untrusted-issuer": "no" }, "ssl-protocol-settings": { "auth-algo-md5": "no", "auth-algo-sha1": "yes", "auth-algo-sha256": "yes", "auth-algo-sha384": "yes", "enc-algo-3des": "yes", "enc-algo-aes-128-cbc": "yes", "enc-algo-aes-128-gcm": "yes", "enc-algo-aes-256-cbc": "yes", "enc-algo-aes-256-gcm": "yes", "enc-algo-chacha20-poly1305": "yes", "enc-algo-rc4": "yes", "keyxchg-algo-dhe": "yes", "keyxchg-algo-ecdhe": "yes", "keyxchg-algo-rsa": "yes", "max-version": "tls1-2", "min-version": "tls1-0" } } }'
    The resulting success message:
    { "@code": "20", "@status": "success", "msg": "command succeeded" }
  4. Create a Decryption Forwarding Profile.
    The following POST request creates a bidirectional security chain with devices at 1.1.1.1 and 1.1.1.2 using the Ethernet interfaces you created earlier in this task.
    curl -X POST 'https://10.55.152.39/restapi/v11.0/Objects/DecryptionForwardingProfiles?name=decryptionForwardTest&location=vsys&vsys=vsys1' -H 'X-PAN-KEY: *******' -d '{ "entry": { "@location": "vsys", "@name": "decryptionForwardTest", "@vsys": "vsys1", "flow": "bidirectional", "health-check": { "http-enable": "no", "http-latency-enable": "no", "path-enable": "no" }, "interface-primary": "ethernet1/5", "interface-secondary": "ethernet1/6", "routed": { "security-chain": { "entry": [ { "@name": "testchain", "enable": "yes", "first-device": "1.1.1.1", "last-device": "1.1.1.2" } ] } } } }'
    The resulting success message:
    { "@code": "20", "@status": "success", "msg": "command succeeded" }
  5. Create a decryption policy using the decryption profile and decryption forwarding profile you created before.
    The following POST requests defines the traffic source zones and destinations to enable decryption based on the testdecryptionprofile and testdecryptionforwading profiles.
    curl -X POST 'https://10.55.152.39/restapi/v11.0/Policies/DecryptionRules?name=jltestrule&location=vsys&vsys=vsys1' -H 'X-PAN-KEY: *****' -d '{ "entry": { "@location": "vsys", "@name": "jltestrule", "@uuid": "b4d66137-9678-4b9d-9105-e881899d1125", "@vsys": "vsys1", "action": "decrypt-and-forward", "category": { "member": [ "any" ] }, "destination": { "member": [ "any" ] }, "destination-hip": { "member": [ "any" ] }, "forwarding-profile": "testdecryptionforwarding", "from": { "member": [ "l3-untrust" ] }, "negate-source": "no", "profile": "testdecryptionprofile", "service": { "member": [ "any" ] }, "source": { "member": [ "Test" ] }, "source-hip": { "member": [ "any" ] }, "source-user": { "member": [ "any" ] }, "to": { "member": [ "l2-trust" ] }, "type": { "ssl-forward-proxy": {} } } }'
    The resulting success message:
    { "@code": "20", "@status": "success", "msg": "command succeeded" }