Settings to Control Decrypted SSL Traffic
Table of Contents
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > GTP Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Device Block List
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Scheduled Config Export
End-of-Life (EoL)
Settings to Control Decrypted SSL Traffic
The following table describes the settings you can use
to control SSL traffic that has been decrypted using either SSL
Forward Proxy decryption or SSL Inbound Inspection. You can use
these settings to limit or block SSL sessions based on criteria including
the status of the external server certificate, the use of unsupported
cipher suites or protocol versions, or the availability of system
resources to process decryption.
SSL Decryption Tab Settings | Description |
---|---|
SSL FORWARD PROXY TAB Select
options to limit or block SSL traffic decrypted using SSL Forward
Proxy. | |
Server Certificate Validation—Select
options to control server certificates for decrypted SSL traffic. | |
Block sessions with expired certificates | Terminate the SSL connection if the server
certificate is expired. This prevents users from accepting expired
certificates and continuing with an SSL session. Block sessions with expired certificates
to prevent access to potentially insecure sites. |
Block sessions with untrusted issuers | Terminate the SSL session if the server
certificate issuer is untrusted. Block
sessions with untrusted issuers because an untrusted issuer may
indicate a man-in-the-middle attack, a replay attack, or another
attack. |
Block sessions with unknown certificate status | Terminate the SSL session if a server returns
a certificate revocation status of “unknown”. Certificate revocation
status indicates if trust for the certificate has been or has not
been revoked. Block sessions with unknown
certificate status for the tightest security. However, because certificate
status may be unknown for a variety of reasons, this may tighten
security too much. If blocking unknown certificate status affects
sites you need to use for business, don’t block sessions with unknown
certificate status. |
Block sessions on the certificate status
check timeout | Terminate the SSL session if the certificate
status cannot be retrieved within the amount of time that the firewall
is configured to stop waiting for a response from a certificate
status service. You can configure Certificate Status
Timeout value when creating or modifying a certificate
profile (DeviceCertificate
ManagementCertificate Profile). Blocking
sessions when the status check times out is a tradeoff between tighter
security and a better user experience. If certificate revocation
servers respond slowly, blocking on a timeout may block sites that
have valid certificates. You can increase the timeout value for
Certificate Revocation Checking (CRL) and Online Certificate Status Protocol
(OCSP) if you are concerned about timing out valid certificates. |
Restrict certificate extensions | Limits the certificate extensions used in
the dynamic server certificate to key usage and extended key usage. Restrict certificate extensions if your
deployment requires no other certificate extensions. |
Append certificate's CN value to SAN extension | Enable the firewall to add a Subject Alternative
Name (SAN) extension to the impersonation certificate it presents
to clients as part of SSL Forward Proxy decryption. When a server
certificate contains only a Common Name (CN), the firewall adds
a SAN extension to the impersonation certificate based on the server
certificate CN. This option is useful in cases where browsers
require server certificates to use a SAN and no longer support certificate
matching based on CNs; it ensures that end users can continue to
access their requested web resources and that the firewall can continue
to decrypt sessions even if a server certificate contains only a
CN.Append the certificate’s CN value
to the SAN extension to help ensure access to requested web resources. |
Unsupported Mode Checks—Select
options to control unsupported SSL applications. | |
Block sessions with unsupported versions | Terminate sessions if PAN-OS does not support
the “client hello” message. PAN-OS supports SSLv3, TLS1.0, TLS1.1,
and TLS1.2. Always block sessions
with unsupported versions to prevent access to sites with weak protocols.
On the SSL Protocol Settings tab, set the
minimum Protocol Version to TLSv1.2 to block sites with weak protocol
versions. If a site you need to access for business purposes uses
a weaker protocol, create a separate Decryption profile that allows
the weaker protocol and specify it in a Decryption policy rule that
applies only to the sites for which you must allow the weaker protocol. |
Block sessions with unsupported cipher suites | Terminate the session if the cipher suite
specified in the SSL handshake if it is not supported by PAN-OS. Block sessions that use cipher suites you
don’t support. You configure which cipher suites (encryption algorithms)
to allow on the SSL Protocol Settings tab.
Don’t allow users to connect to sites with weak cipher suites. |
Block sessions with client authentication | Terminate sessions with client authentication
for SSL forward proxy traffic. Block
sessions with client authentication unless an important application
requires it, in which case you should create a separate Decryption
profile and apply it only to traffic that requires client authentication. |
Failure Checks—Select
the action to take if system resources are not available to process decryption. | |
Block sessions if resources not available | Terminate sessions if system resources are
not available to process decryption. Whether to block sessions
when resources aren’t available is a tradeoff between tighter security
and a better user experience. If you don’t block sessions when resources
aren’t available, the firewall won’t be able to decrypt traffic
that you want to decrypt when resources are impacted. However, blocking
sessions when resources aren’t available may affect the user experience
because sites that are normally reachable may become temporarily
unreachable. |
Block sessions if HSM not available | Terminate sessions if a hardware security
module (HSM) is not available to sign certificates. Whether
to block sessions if the HSM isn’t available depends on your compliance
rules about where private keys must come from and how you want to
handle encrypted traffic if the HSM isn’t available. |
Client Extension | |
Strip ALPN | The firewall processes and inspects HTTP/2
traffic by default. However, you can disable HTTP/2 inspection by
specifying for the firewall to Strip ALPN.
With this option selected, the firewall removes any value contained
in the Application-Layer Protocol Negotiation (ALPN) TLS extension). Because
ALPN is used to secure HTTP/2 connections, when there is no value
specified for this TLS extension, the firewall either downgrades HTTP/2
traffic to HTTP/1.1 or classifies it as unknown TCP traffic. |
For unsupported modes
and failure modes, the session information is cached for 12 hours, so
future sessions between the same hosts and server pair are not decrypted.
Enable the options to block those sessions instead. | |
SSL INBOUND INSPECTION TAB Select
options to limit or block SSL traffic decrypted using SSL Inbound
Inspection. | |
Unsupported Mode Checks—Select
options to control sessions if unsupported modes are detected in
SSL traffic. | |
Block sessions with unsupported versions | Terminate sessions if PAN-OS does not support
the “client hello” message. PAN-OS supports SSLv3, TLS1.0, TLS1.1,
and TLS1.2. Always block sessions
with unsupported versions to prevent access to sites with weak protocols.
On the SSL Protocol Settings tab, set the
minimum Protocol Version to TLSv1.2 to block sites with weak protocol
versions. If a site you need to access for business purposes uses
a weaker protocol, create a separate Decryption profile that allows
the weaker protocol and specify it in a Decryption policy rule that
applies only to the sites for which you must allow the weaker protocol. |
Block sessions with unsupported cipher suites | Terminate the session if the cipher suite
used is not supported by PAN-OS. Block
sessions that use cipher suites you don’t support. You configure
which cipher suites (encryption algorithms) to allow on the SSL
Protocol Settings tab. Don’t allow users to connect
to sites with weak cipher suites. |
Failure Checks—Select
the action to take if system resources are not available. | |
Block sessions if resources not available | Terminate sessions if system resources are
not available to process decryption. Whether to block sessions
when resources aren’t available is a tradeoff between tighter security
and a better user experience. If you don’t block sessions when resources
aren’t available, the firewall won’t be able to decrypt traffic
that you want to decrypt when resources are impacted. However, blocking
sessions when resources aren’t available may affect the user experience
because sites that are normally reachable may become temporarily
unreachable. |
Block sessions if HSM not available | Terminate sessions if a hardware security
module (HSM) is not available to decrypt the session key. Whether
to block sessions if the HSM isn’t available depends on your compliance
rules about where private keys must come from and how you want to
handle encrypted traffic if the HSM isn’t available. |
SSL PROTOCOL SETTINGS TAB Select
the following settings to enforce protocol versions and cipher suites
for SSL session traffic. | |
Protocol Versions | Enforce the use of minimum and maximum protocol
versions for the SSL session. |
Min Version | Set the minimum protocol version that can
be used to establish the SSL connection. Set
the Min Version to TLSv1.2 to provide the strongest security. Review
sites that don’t support TLSv1.2 to see if they really have a legitimate
business purpose. For sites you need to access that don’t support
TLSv1.2, create a separate Decryption profile that specifies the
strongest protocol version they support and apply it to a Decryption
policy rule that limits the use of the weak version to only the necessary
sites, from only the necessary sources (zones, addresses, users). |
Max Version | Set the maximum protocol version that can
be used to establish the SSL connection. You can choose the option
Max so that no maximum version is specified; in this case, protocol
versions that are equivalent to or are a later version than the
selected minimum version are supported. Set
the Max Version to Max so that as protocols improve,
the firewall automatically supports them. |
Key Exchange Algorithms | Enforce the use of the selected key exchange
algorithms for the SSL session. All three algorithms (RSA, DHE,
and ECDHE) are enabled by default. The DHE (Diffie-Hellman)
and ECDHE (elliptic curve Diffie-Hellman) enable Perfect Forward Secrecy (PFS) for
SSL Forward Proxy or Inbound Inspection decryption. |
Encryption Algorithms | Enforce the use of the selected encryption
algorithms for the SSL session. Don’t
support the weak 3DES or RC4 encryption
algorithms. (The firewall automatically blocks these two algorithms
when you use TLSv1.2 as the minimum protocol version.) If you have
to make an exception and support a weaker protocol version, uncheck 3DES and RC4 in
the Decryption profile. If there are sites you must access for business
purposes that use 3DES or RC4 encryption
algorithms, create a separate Decryption profile and apply it to
a Decryption policy rule for just those sites. |
Authentication Algorithms | Enforce the use of the selected authentication
algorithms for the SSL session. Block
the old, weak MD5 algorithm (blocked by default). If no necessary
sites use SHA1 authentication, block SHA1. If any sites you require
for business purposes use SHA1, create a separate Decryption profile
and apply it to a Decryption policy rule for just those sites. |