Focus

Define Traffic to Decrypt

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Plan a Staged, Prioritized Deployment

Create a Decryption Profile

Define Traffic to Decrypt

Use Decryption Policy rules to define the traffic you decrypt and the traffic you choose not to decrypt because of regulations, business reasons, or privacy reasons.

A Decryption policy rule allows you to define traffic that you want the firewall to decrypt and to define traffic that you choose to exclude from decryption because the traffic is personal or because of local regulations, for example.

Attach a Decryption profile to each Decryption policy rule to enable certificate checks, session mode checks, failure checks, and protocol and algorithm checks, depending on the profile. These checks prevent risky connections, such as sessions with untrusted certificate issuers, weak protocols, ciphers, and algorithms, and servers that have certificate issues.

Review the Decryption deployment best practices checklist to ensure that you understand the recommended best practices.

As a best practice, you should always block known dangerous URL Filtering categories such as malware, phishing, dynamic-dns, unknown, command-and-control, proxy-avoidance-and-anonymizers, copyright-infringement, extremism, newly-registered-domain, grayware, and parked. If you must allow any of these categories for business reasons, you must decrypt them and apply strict Security profiles to the traffic.

URL categories that you should always decrypt if you allow them include: online-storage-and-backup, web-based-email, web-hosting, personal-sites-and-blogs, and content-delivery-networks.

In Security policy, block Quick UDP Internet Connections (QUIC) protocol unless for business reasons, you want to allow encrypted browser traffic. Chrome and some other browsers establish sessions using QUIC instead of TLS, but QUIC uses proprietary encryption that the firewall can’t decrypt, so potentially dangerous traffic may enter the network as encrypted traffic. Blocking QUIC forces the browser to fall back to TLS and enables the firewall to decrypt the traffic.

Create a Security policy rule to block QUIC on its UDP service ports (80 and 443) and create a separate rule to block the QUIC application. For the rule that blocks UDP ports 80 and 443, create a Service (ObjectsServices) that includes UDP ports 80 and 443:

Use the Service to specify the UDP ports to block for QUIC. In the second rule, block the QUIC application:

Plan a Staged, Prioritized Deployment

Create a Decryption Profile

Next-Generation Firewall Docs

Define Traffic to Decrypt

Next-Generation Firewall Docs

Define Traffic to Decrypt

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner