Work With Decryption (APIs)
Table of Contents
Work With Decryption (APIs)
Automate the workflow to create decryption rules, add
them to Security decryption policy rules, and push them to devices.
Use the REST API to automate the workflow
when you set up decryption policy rules for your firewalls. This
example shows how to create a decryption profile and a decryption
forwarding profile and then to include both in a decryption policy
rule. With decryption policy rules, you can decrypt traffic and
send decryption logs to support private analysis where third-party
security appliances can add additional enforcement for traffic that
the firewall should allow. You must have a Network Packet Broker license
for this example. Review How Network Packet Broker Works for more information about decryption forwarding
and creating a security chain,.
This
example describes setting up a Layer 3 security chain to forward
decrypted SSL traffic (see Layer 3 Security Chain Guidelines).
- Configure two Layer 3 interfaces over which to
forward decrypted traffic.This following POST request configures the Ethernet interface ethernet1/6 with decryption forwarding for use as a dedicate interface for decrypted traffic.curl -X POST 'https://10.55.152.39/restapi/v11.0/Network/EthernetInterfaces?name=ethernet1/6' -H 'X-PAN-KEY: LUFRP==' -d '{ "entry": { "@name": "ethernet1/6", "layer3": { "decrypt-forward": "yes", "lldp": { "enable": "no" }, "ndp-proxy": { "enabled": "no" } } } }'The resulting success message:{ "@code": "20", "@status": "success", "msg": "command succeeded" }
- Create a virtual router to enable decryption port forwarding.
The following POST requests uses two Ethernet interfaces dedicated to decryption: ethernet1/5 and ethernet1/6. The virtual router must be dedicated to the decryption forwarding interfaces to ensure that the clear text sessions that the firewall forwards for additional analysis are completely separated from dataplane traffic.curl -X POST 'https://10.55.152.39/restapi/v11.0/Network/VirtualRouters?name=decrypttest' -H 'X-PAN-KEY: LUFRP==’ -d ' { "entry": { "@name": "decrypttest", "ecmp": { "algorithm": { "ip-modulo": {} } }, "interface": { "member": [ "ethernet1/5", "ethernet1/6" ] }, "protocol": { "bgp": { "enable": "no", "routing-options": { "graceful-restart": { "enable": "yes" } } }, "ospf": { "enable": "no" }, "ospfv3": { "enable": "no" }, "rip": { "enable": "no" } } } }'The resulting success message:{ "@code": "20", "@status": "success", "msg": "command succeeded" }- Create a Decryption Profile.
The following POST request creates a decryption profile that defines the traffic and settings for blocking and allowing traffic in a decryption policy rule. For information on each of the options available for configuration, review how to Define Traffic to Decrypt.curl -X POST 'https://10.55.152.39/restapi/v11.0/Objects/DecyptionProfiles?name=jl-test&location=vsys&=vsys1&input-format=json' -h 'X-PAN-KEY: LUFRPT' -d '{ "entry": { "@name": "decryptProfileTest", "ssh-proxy": { "block-if-no-resource": "no", "block-ssh-errors": "no", "block-unsupported-alg": "no", "block-unsupported-version": "no" }, "ssl-forward-proxy": { "auto-include-altname": "no", "block-client-cert": "no", "block-expired-certificate": "no", "block-if-no-resource": "no", "block-timeout-cert": "no", "block-tls13-downgrade-no-resource": "no", "block-unknown-cert": "no", "block-unsupported-cipher": "no", "block-unsupported-version": "no", "block-untrusted-issuer": "no", "restrict-cert-exts": "no", "strip-alpn": "no" }, "ssl-inbound-proxy": { "block-if-no-resource": "no", "block-tls13-downgrade-no-resource": "no", "block-unsupported-cipher": "no", "block-unsupported-version": "no" }, "ssl-no-proxy": { "block-expired-certificate": "no", "block-untrusted-issuer": "no" }, "ssl-protocol-settings": { "auth-algo-md5": "no", "auth-algo-sha1": "yes", "auth-algo-sha256": "yes", "auth-algo-sha384": "yes", "enc-algo-3des": "yes", "enc-algo-aes-128-cbc": "yes", "enc-algo-aes-128-gcm": "yes", "enc-algo-aes-256-cbc": "yes", "enc-algo-aes-256-gcm": "yes", "enc-algo-chacha20-poly1305": "yes", "enc-algo-rc4": "yes", "keyxchg-algo-dhe": "yes", "keyxchg-algo-ecdhe": "yes", "keyxchg-algo-rsa": "yes", "max-version": "tls1-2", "min-version": "tls1-0" } } }'The resulting success message:{ "@code": "20", "@status": "success", "msg": "command succeeded" }- Create a Decryption Forwarding Profile.
The following POST request creates a bidirectional security chain with devices at 1.1.1.1 and 1.1.1.2 using the Ethernet interfaces you created earlier in this task.curl -X POST 'https://10.55.152.39/restapi/v11.0/Objects/DecryptionForwardingProfiles?name=decryptionForwardTest&location=vsys&vsys=vsys1' -H 'X-PAN-KEY: LUFRP==' -d '{ "entry": { "@location": "vsys", "@name": "decryptionForwardTest", "@vsys": "vsys1", "flow": "bidirectional", "health-check": { "http-enable": "no", "http-latency-enable": "no", "path-enable": "no" }, "interface-primary": "ethernet1/5", "interface-secondary": "ethernet1/6", "routed": { "security-chain": { "entry": [ { "@name": "testchain", "enable": "yes", "first-device": "1.1.1.1", "last-device": "1.1.1.2" } ] } } } }'The resulting success message:{ "@code": "20", "@status": "success", "msg": "command succeeded" }- Create a decryption policy using the decryption profile and decryption forwarding profile you created before.
The following POST requests defines the traffic source zones and destinations to enable decryption based on the testdecryptionprofile and testdecryptionforwading profiles.curl -X POST 'https://10.55.152.39/restapi/v11.0/Policies/DecryptionRules?name=jltestrule&location=vsys&vsys=vsys1' -H 'X-PAN-KEY: LUFRP' -d '{ "entry": { "@location": "vsys", "@name": "jltestrule", "@uuid": "b4d66137-9678-4b9d-9105-e881899d1125", "@vsys": "vsys1", "action": "decrypt-and-forward", "category": { "member": [ "any" ] }, "destination": { "member": [ "any" ] }, "destination-hip": { "member": [ "any" ] }, "forwarding-profile": "testdecryptionforwarding", "from": { "member": [ "l3-untrust" ] }, "negate-source": "no", "profile": "testdecryptionprofile", "service": { "member": [ "any" ] }, "source": { "member": [ "Test" ] }, "source-hip": { "member": [ "any" ] }, "source-user": { "member": [ "any" ] }, "to": { "member": [ "l2-trust" ] }, "type": { "ssl-forward-proxy": {} } } }'The resulting success message:{ "@code": "20", "@status": "success", "msg": "command succeeded" }
- Create a virtual router to enable decryption port forwarding.