Apply Granular Settings to Traffic Matching a Decryption Policy Rule
Focus
Focus
Network Security

Apply Granular Settings to Traffic Matching a Decryption Policy Rule

Table of Contents

Apply Granular Settings to Traffic Matching a Decryption Policy Rule

Define protocol versions, algorithms, certificate verification, and other settings in a decryption profile for traffic meeting the criteria in associated decryption policy rules.
Where Can I Use This?What Do I Need?
No separate license required for decryption when using NGFWs or Prisma Access.
Note: The features and capabilities available to you in Strata Cloud Manager depend on your active license(s).
Configure a decryption profile to define SSL/TLS connection settings and apply various checks to traffic that you decrypt or exclude from decryption. Decryption profiles provide granular control over decrypted and nondecrypted sessions, enabling you to tailor decryption policy rules to meet specific requirements. In SSL/TLS decryption profiles, you can specify the cipher suites you support for SSL/TLS connections and enable checks, including for unsupported modes, failures, and certificate validity. In contrast, a no-decryption profile only verifies the validity of a server certificate or the trustworthiness of the certificate issuer for traffic that you intentionally don't decrypt. SSH Proxy profiles control only unsupported mode checks and failure checks. For descriptions of each setting, see Decryption Profiles: Summary of Decryption Profile Settings.
After you create a decryption profile, attach it to a decryption policy rule. Next-Generation Firewalls (NGFWs) enforce the profile settings on traffic matching all the criteria in the rule.

Best Practices and Considerations for Decryption Profiles

  • Apply a decryption profile to decryption policy rules to protect your network against sessions with expired certificates or untrusted issuers. You can’t protect yourself against threats you can’t see.
    Use the strongest ciphers that you can. Weak protocols and weak algorithms contain known vulnerabilities that attackers can exploit. Set Min Version to TLSv1.3 and Max Version to Max to block weak protocols.
  • Create separate decryption profiles when necessary to maximize security, and reuse them where applicable.
    • For example, suppose a key partner or contractor uses legacy systems with weak protocols or algorithms. You can create a decryption profile that allows the weaker protocols or algorithms and attach it to a decryption policy rule that applies only to the relevant traffic (for example, the source IP address of the partner).
    • If you need to allow client authentication, create a decryption profile with client authentication settings, and apply it only to traffic that requires client authentication.
      Create separate profiles with protocol settings that match the capabilities of the servers whose inbound or outbound traffic you are inspecting.
  • Many mobile applications use pinned certificates. Because TLSv1.3 encrypts certificate information, the NGFW can’t automatically add these mobile applications to the SSL Decryption Exclusion List. For these applications, set the protocol Max Version to TLSv1.3, or create or apply a no-decryption policy rule to the traffic.
  • For SSL Forward Proxy traffic and no-decrypt traffic (traffic that you choose not to decrypt), configure both certificate revocation list (CRL) and Online Certificate Status Revocation (OCSP) certificate revocation checks.
Best Practices By Profile Type
  • Block sessions with expired certificates
  • Block sessions with untrusted issuers
  • Block sessions with unsupported protocol versions
  • Block sessions with unsupported cipher suites
  • Block sessions with client authentication unless an important application requires it
  • Block sessions with unsupported versions
  • Block unsupported cipher suites
No-decryption Profiles
Don’t apply a no-decryption profile to TLSv1.3 traffic. The certificate information is encrypted, so the NGFW can’t block sessions based on certificate information.
  • Block sessions with expired certificates
  • Block sessions with untrusted issuers
  • Block sessions with unsupported versions
  • Block sessions with unsupported algorithms

Apply Granular Settings to Traffic Matching a Decryption Policy Rule (Strata Cloud Manager)

  1. Create a decryption profile.
    Select Manage Configuration Security Services Decryption. Under Decryption Profiles, click Add Profile.
  2. Enter a descriptive Name for the profile.
  3. Configure Handshake Settings.
    1. Select a Protocol Min Version: SSLv3.0, TLSv1.0 through TLSv1.3.
    2. Select a Protocol Max Version: SSLv3.0, TLSv1.0 through TLSv1.3, and Max.
    3. Add or Remove Key Exchange Algorithms.
      To remove an algorithm, select the algorithm and then click Remove.
    4. Add or Remove Encryption Algorithms.
    5. Add or Remove Authentication Algorithms.
  4. (Optional) Configure settings to verify certificates, enforce protocol versions and cipher suites, and perform failure checks on SSL Forward Proxy traffic.
    If the NGFW is in FIPS-CC mode and managed by a Panorama™ management server in standard mode, a decryption profile must be created locally on the NGFW. Decryption profiles created on Panorama in standard mode contain references to 3DES and RC4 encryption algorithms and MD5 authentication algorithm that are not supported and cause pushes to the managed NGFW to fail.
    1. For Server Certificate Verification, select Block sessions with expired certificates or Block sessions with untrusted issuer
    2. For Unsupported Mode Checks, select Block sessions with unsupported version or Block sessions with unsupported cipher suite.
    3. To configure Advanced SSL Forward Proxy Settings, select Advanced.
      For Server Certificate Verification, you can Block sessions with unknown certificate status, Block sessions on certificate status check timeout. Restrict certificate extensions, or Append certificate's CN value to SAN extension.
      For Unsupported Mode Checks, you can Block sessions with client authentication.
      For Failure Checks, you can Block downgrade on no resource.
      For Client Extension, you can Strip ALPN.
    4. Save the settings.
  5. (Optional) Configure Unsupported Mode and Failure Checks for SSL Inbound Inspection.
    1. For Unsupported Mode Checks, select Block sessions with unsupported version or Block sessions with unsupported cipher suite.
    2. For Failure Checks, select Block sessions if resources not available or Block sessions if HSM not available.
  6. (Optional) Configure Server Certificate Verification settings for traffic that you choose not to decrypt.
    These settings are active only when the decryption profile is attached to a decryption policy rule that disables decryption for certain traffic.
    Select Block sessions with expired certificates or Block sessions with untrusted issuers to validate certificates for traffic excluded from decryption.
    Create policy-based exclusions only for traffic that you choose not to decrypt. If a server breaks decryption for technical reasons, add the server to the Global Decryption Exclusion list instead.
  7. Save the profile.
  8. Push Config.

Apply Granular Settings to Traffic Matching a Decryption Policy Rule (PAN-OS & Panorama)

  1. Create a new decryption profile.
    Select ObjectsDecryption Profile, Add or modify a decryption profile rule, and give the rule a descriptive Name.
  2. (Optional) Allow the profile rule to be Shared across every virtual system on an NGFW or every Panorama device group.
  3. (Decryption Mirroring Only) Enable an Ethernet Interface to use to copy and forward decrypted traffic.
    Separate from this task, follow the steps to configure Decryption Port Mirroring. Be aware of local privacy regulations that prohibit mirroring or control the type of traffic that you can mirror. Decryption Port Mirroring requires a Decryption Port Mirroring license.
  4. (Optional) Block and control SSL tunneled or inbound traffic:
    Select SSL Decryption:
    • Select SSL Forward Proxy to configure the settings to verify certificates, enforce protocol versions and cipher suites, and perform failure checks on SSL decrypted traffic. These settings are active only when this profile is attached to a decryption policy rule configured to perform SSL Forward Proxy decryption.
    • Select SSL Inbound Inspection to configure the settings to enforce protocol versions and cipher suites and to perform failure checks on inbound SSL traffic. These settings are active only when this profile is attached to a decryption policy rule that performs SSL Inbound Inspection.
    • Select SSL Protocol Settings to configure the settings that control minimum and maximum protocol versions and key exchange, encryption, and authentication algorithms to enforce on decrypted SSL traffic. These settings are active when this profile is attached to decryption policy rules that control SSL Forward Proxy or SSL Inbound Inspection.
    If a NGFW is in FIPS-CC mode and managed by a Panorama™ management server in standard mode, a decryption profile must be created locally on the NGFW. Decryption profiles created on Panorama in standard mode contain references to 3DES and RC4 encryption algorithms and the MD5 authentication algorithm, which are not supported on NGFWs and cause pushes to the managed NGFW to fail.
  5. (Optional) Block and control traffic (for example, a URL category) for which you choose to create a policy-based decryption exclusion.
    These settings are active only when the decryption profile is attached to a decryption policy rule that disables decryption for certain traffic.
    Create policy-based exclusions only for traffic that you choose not to decrypt. If a server breaks decryption for technical reasons, add the server to the SSL Decryption Exclusion list(DeviceCertificate ManagementSSL Decryption Exclusion) instead.
    1. Select No Decryption to configure a no-decrypt Decryption profile.
    2. Select Block sessions with expired certificates and Block sessions with untrusted issuers to validate certificates for traffic excluded from decryption.
  6. (Optional) Block and control decrypted SSH traffic.
    Select SSH Proxy to configure an SSH Proxy decryption profile, and configure settings to enforce supported protocol versions and to block sessions if system resources are not available to perform decryption.
    These settings are active only when the decryption profile is attached to a decryption policy rule that decrypts SSH traffic.
  7. To enforce decryption profile settings, apply the profile to a decryption policy rule.
  8. Commit your configuration.