Section 10

Decryption
PANOS
Administrators
Guide
Version7.1
Copyright 2007-2015 Palo Alto Networks
ContactInformation
CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactus
AboutthisGuide
ThisguidetakesyouthroughtheconfigurationandmaintenanceofyourPaloAltoNetworksnextgeneration
firewall.Foradditionalinformation,refertothefollowingresources:
ForinformationonhowtoconfigureothercomponentsinthePaloAltoNetworksNextGenerationSecurity
Platform,gototheTechnicalDocumentationportal:https://www.paloaltonetworks.com/documentationor
searchthedocumentation.
Foraccesstotheknowledgebaseandcommunityforums,refertohttps://live.paloaltonetworks.com.
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
ForthemostcurrentPANOSandPanorama7.1releasenotes,goto
https://www.paloaltonetworks.com/documentation/71/panos/panosreleasenotes.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
PaloAltoNetworks,Inc.
www.paloaltonetworks.com
2016PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofourtrademarkscanbefound
athttp://www.paloaltonetworks.com/company/trademarks.html.Allothermarksmentionedhereinmaybetrademarksoftheir
respectivecompanies.
RevisionDate:May9,2016
2 PANOS7.1AdministratorsGuide
Decryption
PaloAltoNetworksfirewallsprovidethecapabilitytodecryptandinspecttrafficforvisibility,control,and
granularsecurity.DecryptiononaPaloAltoNetworksfirewallincludesthecapabilitytoenforcesecurity
policiesonencryptedtraffic,whereotherwisetheencryptedtrafficmightnotbeblockedandshaped
accordingtoyourconfiguredsecuritysettings.Usedecryptiononafirewalltopreventmaliciouscontent
fromenteringyournetworkorsensitivecontentfromleavingyournetworkconcealedasencryptedtraffic.
EnablingdecryptiononaPaloAltoNetworksfirewallcanincludepreparingthekeysandcertificatesrequired
fordecryption,creatingadecryptionpolicy,andconfiguringdecryptionportmirroring.Seethefollowing
topicstolearnaboutandconfiguredecryption:
DecryptionOverview
DecryptionConcepts
DefineTraffictoDecrypt
ConfigureSSLForwardProxy
ConfigureSSLInboundInspection
ConfigureSSHProxy
ConfigureDecryptionExceptions
EnableUserstoOptOutofSSLDecryption
ConfigureDecryptionPortMirroring
TemporarilyDisableSSLDecryption
PANOS7.1AdministratorsGuide 485
DecryptionOverview
Decryption
DecryptionOverview
SecureSocketsLayer(SSL)andSecureShell(SSH)areencryptionprotocolsusedtosecuretrafficbetween
twoentities,suchasawebserverandaclient.SSLandSSHencapsulatetraffic,encryptingdatasothatitis
meaninglesstoentitiesotherthantheclientandserverwiththekeystodecodethedataandthecertificates
toaffirmtrustbetweenthedevices.TrafficthathasbeenencryptedusingtheprotocolsSSLandSSHcanbe
decryptedtoensurethattheseprotocolsarebeingusedfortheintendedpurposesonly,andnottoconceal
unwantedactivityormaliciouscontent.
PaloAltoNetworksfirewallsdecryptencryptedtrafficbyusingkeystotransformstrings(passwordsand
sharedsecrets)fromciphertexttoplaintext(decryption)andfromplaintextbacktociphertext(reencrypting
trafficasitexitsthefirewall).Certificatesareusedtoestablishthefirewallasatrustedthirdpartyandto
createasecureconnection.SSLdecryption(bothforwardproxyandinboundinspection)requires
certificatestoestablishtrustbetweentwoentitiesinordertosecureanSSL/TLSconnection.Certificates
canalsobeusedwhenexcludingserversfromSSLdecryption.Youcanintegrateahardwaresecuritymodule
(HSM)withafirewalltoenableenhancedsecurityfortheprivatekeysusedinSSLforwardproxyandSSL
inboundinspectiondecryption.TolearnmoreaboutstoringandgeneratingkeysusinganHSMand
integratinganHSMwithyourfirewall,seeSecureKeyswithaHardwareSecurityModule.SSHdecryption
doesnotrequirecertificates.
PaloAltoNetworksfirewalldecryptionispolicybased,andcanbeusedtodecrypt,inspect,andcontrolboth
inboundandoutboundSSLandSSHconnections.Decryptionpoliciesallowyoutospecifytrafficfor
decryptionaccordingtodestination,source,orURLcategoryandinordertoblockorrestrictthespecified
trafficaccordingtoyoursecuritysettings.Thefirewallusescertificatesandkeystodecryptthetraffic
specifiedbythepolicytoplaintext,andthenenforcesAppIDandsecuritysettingsontheplaintexttraffic,
includingDecryption,Antivirus,Vulnerability,AntiSpyware,URLFiltering,WildFireSubmissions,and
FileBlockingprofiles.Aftertrafficisdecryptedandinspectedonthefirewall,theplaintexttrafficis
reencryptedasitexitsthefirewalltoensureprivacyandsecurity.Usepolicybaseddecryptiononthe
firewallto:
Preventmalwareconcealedasencryptedtrafficfrombeingintroducedintoancorporatenetwork.
Preventsensitivecorporateinformationfrommovingoutsidethecorporatenetwork.
Ensuretheappropriateapplicationsarerunningonasecurenetwork.
Selectivelydecrypttraffic;forexample,excludetrafficforfinancialorhealthcaresitesfromdecryption
byconfiguringadecryptionexception.
Thethreedecryptionpoliciesofferedonthefirewall,SSLForwardProxy,SSLInboundInspection,andSSH
Proxy,allprovidemethodstospecificallytargetandinspectSSLoutboundtraffic,SSLinboundtraffic,and
SSHtraffic,respectively.Thedecryptionpoliciesprovidethesettingsforyoutospecifywhattrafficto
decryptandyoucanattachadecryptionprofiletoapolicyruletoapplymoregranularsecuritysettingsto
decryptedtraffic,suchaschecksforservercertificates,unsupportedmodes,andfailures.Thispolicybased
decryptiononthefirewallgivesyouvisibilityintoandcontrolofSSLandSSHencryptedtrafficaccordingto
configurableparameters.
YoucanalsochoosetoextendadecryptionconfigurationonthefirewalltoincludeDecryptionMirroring,
whichallowsfordecryptedtraffictobeforwardedasplaintexttoathirdpartysolutionforadditionalanalysis
andarchiving.
Decryption
DecryptionConcepts
DecryptionConcepts
Tolearnaboutkeysandcertificatesfordecryption,decryptionpolicies,anddecryptionportmirroring,see
thefollowingtopics:
KeysandCertificatesforDecryptionPolicies
SSLForwardProxy
SSLInboundInspection
SSHProxy
DecryptionExceptions
DecryptionMirroring
KeysandCertificatesforDecryptionPolicies
Keysarestringsofnumbersthataretypicallygeneratedusingamathematicaloperationinvolvingrandom
numbersandlargeprimes.Keysareusedtotransformotherstringssuchaspasswordsandsharedsecrets
fromplaintexttociphertext(calledencryption)andfromciphertexttoplaintext(calleddecryption).Keyscan
besymmetric(thesamekeyisusedtoencryptanddecrypt)orasymmetric(onekeyisusedforencryption
andamathematicallyrelatedkeyisusedfordecryption).Anysystemcangenerateakey.
X.509certificatesareusedtoestablishtrustbetweenaclientandaserverinordertoestablishanSSL
connection.Aclientattemptingtoauthenticateaserver(oraserverauthenticatingaclient)knowsthe
structureoftheX.509certificateandthereforeknowshowtoextractidentifyinginformationaboutthe
serverfromfieldswithinthecertificate,suchasitsFQDNorIPaddress(calledacommonnameorCNwithin
thecertificate)orthenameoftheorganization,department,orusertowhichthecertificatewasissued.All
certificatesmustbeissuedbyacertificateauthority(CA).AftertheCAverifiesaclientorserver,theCA
issuesthecertificateandsignsitwithaprivatekey.
Withadecryptionpolicyconfigured,asessionbetweentheclientandtheserverisestablishedonlyifthe
firewalltruststheCAthatsignedtheservercertificate.Inordertoestablishtrust,thefirewallmusthavethe
serverrootCAcertificateinitscertificatetrustlist(CTL)andusethepublickeycontainedinthatrootCA
certificatetoverifythesignature.Thefirewallthenpresentsacopyoftheservercertificatesignedbythe
ForwardTrustcertificatefortheclienttoauthenticate.Youcanalsoconfigurethefirewalltousean
enterpriseCAasaforwardtrustcertificateforSSLForwardProxy.Ifthefirewalldoesnothavetheserver
rootCAcertificateinitsCTL,thefirewallwillpresentacopyoftheservercertificatesignedbytheForward
Untrustcertificatetotheclient.TheForwardUntrustcertificateensuresthatclientsarepromptedwitha
certificatewarningwhenattemptingtoaccesssiteshostedbyaserverwithuntrustedcertificates.
Fordetailedinformationoncertificates,seeCertificateManagement.
TocontrolthetrustedCAsthatyourfirewalltrusts,usetheDevice > Certificate

Management > Certificates > Default Trusted Certificate Authoritiestabonthe
firewallwebinterface.
Table:PaloAltoNetworksFirewallKeysandCertificatesdescribesthedifferentkeysandcertificatesused
byPaloAltoNetworksfirewallsfordecryption.Asabestpractice,usedifferentkeysandcertificatesforeach
usage.
DecryptionConcepts
Decryption
Table:PaloAltoNetworksFirewallKeysandCertificates
Key/CertificateUsage
Description
ForwardTrust
Thecertificatethefirewallpresentstoclientsduringdecryptionifthesitetheclient
isattemptingtoconnecttohasacertificatethatissignedbyaCAthatthefirewall
trusts.ToconfigureaForwardTrustcertificateonthefirewall,seeStep 2inthe
ConfigureSSLForwardProxytask.Bydefault,thefirewalldeterminesthekeysizeto
usefortheclientcertificatebasedonthekeysizeofthedestinationserver.However,
youcanalsosetaspecifickeysizeforthefirewalltouse.SeeConfiguretheKeySize
forSSLForwardProxyServerCertificates.Foraddedsecurity,storetheforwardtrust
certificateonaHardwareSecurityModule(HSM),seeStorePrivateKeysonanHSM.
ForwardUntrust
Thecertificatethefirewallpresentstoclientsduringdecryptionifthesitetheclient
isattemptingtoconnecttohasacertificatethatissignedbyaCAthatthefirewall
doesnottrust.ToconfigureaForwardUntrustcertificateonthefirewall,seeStep 4
intheConfigureSSLForwardProxytask.
SSLExcludeCertificate
CertificatesforserversthatyouwanttoexcludefromSSLdecryption.Forexample,
ifyouhaveSSLdecryptionenabled,buthavecertainserversthatyoudonotwant
includedinSSLdecryption,suchasthewebservicesforyourHRsystems,youwould
importthecorrespondingcertificatesontothefirewallandconfigurethemasSSL
ExcludeCertificates.SeeExcludeaServerfromDecryption.
ThecertificateusedtodecryptinboundSSLtrafficforinspectionandpolicy
enforcement.Forthisapplication,youwouldimporttheservercertificateforthe
serversforwhichyouareperformingSSLinboundinspection,orstorethemonan
HSM(seeStorePrivateKeysonanHSM).
SSLForwardProxy
UseanSSLForwardProxydecryptionpolicytodecryptandinspectSSL/TLStrafficfrominternalusersto
theweb.SSLForwardProxydecryptionpreventsmalwareconcealedasSSLencryptedtrafficfrombeing
introducedtoyourcorporatenetwork.
WithSSLForwardProxydecryption,thefirewallresidesbetweentheinternalclientandoutsideserver.The
firewallusescertificatestoestablishitselfasatrustedthirdpartytothesessionbetweentheclientandthe
server(Fordetailsoncertificates,seeKeysandCertificatesforDecryptionPolicies).Whentheclientinitiates
anSSLsessionwiththeserver,thefirewallinterceptstheclientSSLrequestandforwardstheSSLrequest
totheserver.Theserverreturnsacertificateintendedfortheclientthatisinterceptedbythefirewall.Ifthe
servercertificateissignedbyaCAthatthefirewalltrusts,thefirewallcreatesacopyoftheservercertificate
signsitwiththefirewallForwardTrustcertificateandsendsthecertificatetotheclient.Iftheserver
certificateissignedbyaCAthatthefirewalldoesnottrust,thefirewallcreatesacopyoftheserver
certificate,signsitwiththeForwardUntrustcertificateandsendsittotheclient.Inthiscase,theclientsees
ablockpagewarningthatthesitetheyreattemptingtoconnecttoisnottrustedandtheclientcanchoose
toproceedorterminatethesession.Whentheclientauthenticatesthecertificate,theSSLsessionis
establishedwiththefirewallfunctioningasatrustedforwardproxytothesitethattheclientisaccessing.
AsthefirewallcontinuestoreceiveSSLtrafficfromtheserverthatisdestinedfortheclient,itdecryptsthe
SSLtrafficintocleartexttrafficandappliesdecryptionandsecurityprofilestothetraffic.Thetrafficisthen
reencryptedonthefirewallandthefirewallforwardstheencryptedtraffictotheclient.
Figure:SSLForwardProxyshowsthisprocessindetail.
Decryption
DecryptionConcepts
Figure:SSLForwardProxy
SeeConfigureSSLForwardProxyfordetailsonconfiguringSSLForwardProxy.
UseSSLInboundInspectiontodecryptandinspectinboundSSLtrafficfromaclienttoatargetedserver(any
serveryouhavethecertificateforandcanimportitontothefirewall).Forexample,ifanemployeeis
remotelyconnectedtoawebserverhostedonthecompanynetworkandisattemptingtoaddrestricted
internaldocumentstohisDropboxfolder(whichusesSSLfordatatransmission),SSLInboundInspectioncan
beusedtoensurethatthesensitivedatadoesnotmoveoutsidethesecurecompanynetworkbyblocking
orrestrictingthesession.
ConfiguringSSLInboundInspectionincludesimportingthetargetedservercertificateandkeyontothe
firewall.Becausethetargetedservercertificateandkeyareimportedonthefirewall,thefirewallisableto
accesstheSSLsessionbetweentheserverandtheclientanddecryptandinspecttraffictransparently,rather
thanfunctioningasaproxy.Thefirewallisabletoapplysecuritypoliciestothedecryptedtraffic,detecting
maliciouscontentandcontrollingapplicationsrunningoverthissecurechannel.
Figure:SSLInboundInspectionshowsthisprocessindetail.
DecryptionConcepts
Decryption
Figure:SSLInboundInspection
SeeConfigureSSLInboundInspectionfordetailsonconfiguringSSLInboundInspection.
SSHProxy
SSHProxyprovidesthecapabilityforthefirewalltodecryptinboundandoutboundSSHconnections
passingthroughthefirewall,inordertoensurethatSSHisnotbeingusedtotunnelunwantedapplications
andcontent.SSHdecryptiondoesnotrequireanycertificatesandthekeyusedforSSHdecryptionis
automaticallygeneratedwhenthefirewallbootsup.Duringthebootupprocess,thefirewallcheckstosee
ifthereisanexistingkey.Ifnot,akeyisgenerated.ThiskeyisusedfordecryptingSSHsessionsforallvirtual
systemsconfiguredonthefirewall.ThesamekeyisalsousedfordecryptingallSSHv2sessions.
InanSSHProxyconfiguration,thefirewallresidesbetweenaclientandaserver.Whentheclientsendsan
SSHrequesttotheserver,thefirewallinterceptstherequestandforwardstheSSHrequesttotheserver.
Thefirewalltheninterceptstheserverresponseandforwardstheresponsetotheclient,establishinganSSH
tunnelbetweenthefirewallandtheclientandanSSHtunnelbetweenthefirewallandtheserver,with
firewallfunctioningasaproxy.Astrafficflowsbetweentheclientandtheserver,thefirewallisableto
distinguishwhethertheSSHtrafficisbeingroutednormallyorifitisusingSSHtunneling(portforwarding).
ContentandthreatinspectionsarenotperformedonSSHtunnels;however,ifSSHtunnelsareidentifiedby
thefirewall,theSSHtunneledtrafficisblockedandrestrictedaccordingtoconfiguredsecuritypolicies.
Figure:SSHProxyDecryptionshowsthisprocessindetail.
Decryption
DecryptionConcepts
Figure:SSHProxyDecryption
SeeConfigureSSHProxyfordetailsonconfiguringanSSHProxypolicy.
DecryptionExceptions
Applicationsthatdonotfunctionproperlywhenthefirewalldecryptsthemareautomaticallyexcludedfrom
SSLdecryption.ForacurrentlistofapplicationsthefirewallexcludesfromSSLdecryptionbydefault,see
ListofApplicationsExcludedfromSSLDecryption.
YoucanalsoConfigureDecryptionExceptionstoexcludeapplications,URLcategories,andtargetedserver
trafficfromdecryption:
ExcludecertainURLcategoriesorapplicationsthateitherdonotworkproperlywithdecryptionenabled
orforanyotherreason,includingforlegalorprivacypurposes.Youcanuseadecryptionpolicytoexclude
trafficfromdecryptionbasedonsource,destination,URLcategory,service(portorprotocol),andTCP
portnumbers.Forexample,withSSLdecryptionenabled,youcanchooseURLcategoriestoexclude
trafficthatiscategorizedasfinancialorhealthrelatedfromdecryption.
ExcludeservertrafficfromSSLdecryptionbasedontheCommonName(CN)intheservercertificate.For
example,ifyouhaveSSLdecryptionenabledbuthavecertainserversforwhichyoudonotwantto
decrypttraffic,suchasthewebservicesforyourHRsystems,excludethoseserversfromdecryptionby
importingtheservercertificateontothefirewallandmodifyingthecertificatetobeanSSL Exclude
Certificate.
DecryptionConcepts
Decryption
DecryptionMirroring
Thedecryptionmirroringfeatureprovidesthecapabilitytocreateacopyofdecryptedtrafficfromafirewall
andsendittoatrafficcollectiontoolthatiscapableofreceivingrawpacketcapturessuchasNetWitness
orSoleraforarchivingandanalysis.Thisfeatureisnecessaryfororganizationsthatrequirecomprehensive
datacaptureforforensicandhistoricalpurposesordataleakprevention(DLP)functionality.Decryption
mirroringisavailableonPA7000Series,PA5000SeriesandPA3000Seriesplatformsonlyandrequires
thatafreelicensebeinstalledtoenablethisfeature.
Keepinmindthatthedecryption,storage,inspection,and/oruseofSSLtrafficisgovernedincertain
countriesanduserconsentmightberequiredinordertousethedecryptionmirrorfeature.Additionally,use
ofthisfeaturecouldenablemalicioususerswithadministrativeaccesstothefirewalltoharvestusernames,
passwords,socialsecuritynumbers,creditcardnumbers,orothersensitiveinformationsubmittedusingan
encryptedchannel.PaloAltoNetworksrecommendsthatyouconsultwithyourcorporatecouncilbefore
activatingandusingthisfeatureinaproductionenvironment.
Figure:DecryptionPortMirroringshowstheprocessformirroringdecryptedtrafficandthesection
ConfigureDecryptionPortMirroringdescribeshowtolicenseandenablethisfeature.
Figure:DecryptionPortMirroring
Decryption
Adecryptionpolicyruleallowsyoutodefinetrafficthatyouwantthefirewalltodecrypt,ortodefinetraffic
thatyouwantthefirewalltoexcludefromdecryption.Youcanattachadecryptionprofileruletoa
decryptionpolicyruletomoregranularlycontrolmatchingtraffic.
CreateaDecryptionProfile
CreateaDecryptionPolicyRule
CreateaDecryptionProfile
Adecryptionprofileallowsyoutoperformchecksonbothdecryptedtrafficandtrafficthatyouhave
excludedfromdecryption.Createadecryptionprofileto:
Blocksessionsusingunsupportedprotocols,ciphersuits,orsessionsthatrequireclientauthentication.
Blocksessionsbasedoncertificatestatus,wherethecertificateisexpired,issignedbyanuntrustedCA,
hasextensionsrestrictingthecertificateuse,hasanunknowncertificatestatus,orthecertificatestatus
cantberetrievedduringaconfiguredtimeoutperiod.
Blocksessionsiftheresourcestoperformdecryptionarenotavailableorifahardwaresecuritymodule
isnotavailabletosigncertificates.
Afteryoucreateadecryptionprofile,youcanattachittoadecryptionpolicyrule;thefirewallthenenforces
thedecryptionprofilesettingsontrafficmatchedtothedecryptionpolicyrule.
PaloAltoNetworksfirewallsincludeadefaultdecryptionprofilethatyoucanusetoenforcethebasic
recommendedprotocolversionsandciphersuitesfordecryptedtraffic.
ConfigureaDecryptionProfileRule
Step1
SelectObjects > Decryption Profile, Addormodifyadecryptionprofilerule,andgivetheruleadescriptive

Name.
Step2
(Optional)Allowtheprofileruletobe Shared acrosseveryvirtualsystemonafirewalloreveryPanorama

devicegroup.
Step3
(DecryptionMirroringOnly)ToConfigureDecryptionPortMirroring,enableanEthernetInterface forthe
firewalltousetocopyandforwarddecryptedtraffic.
Decryptionmirroringrequiresadecryptionportmirrorlicense.
Decryption
ConfigureaDecryptionProfileRule(Continued)
SelectSSL Decryption:
SelectSSL Forward Proxytoconfiguresettingstoverify
certificates,enforceprotocolversionsandciphersuites,and
performfailurechecksonSSLdecryptedtraffic.Thesesettings
areactiveonlywhenthisprofileisattachedtoadecryption
policyrulethatissettoperformSSLForwardProxydecryption.
Select SSL Inbound Inspectiontoconfiguresettingsenforce
protocolversionsandciphersuitesandtoperformfailure
checksoninboundSSLtraffic.Thesesettingsareactiveonly
whenthisprofileisattachedtoadecryptionpolicyrulethatis
settoperformSSLInboundInspection.
Select SSL Protocol Settings toconfigureminimumand
maximumprotocolversionsandkeyexchange,encryption,and
authenticationalgorithmstoenforceforSSLtraffic.These
settingsareactivewhenthisprofileisattachedtodecryption
policyrulesthataresettoperformeitherSSLForwardProxy
decryptionorSSLInboundInspection.
Step4
(Optional)BlockandcontrolSSL
tunneledand/orinboundtraffic
undergoingSSLForwardProxy
decryptionorSSLInboundInspection.
Step5
(Optional)Blockandcontroltraffic(for SelectNo Decryptionandconfiguresettingstovalidatecertificates

example,aURLcategory)forwhichyou fortrafficthatisexcludedfromdecryption.
havedisableddecryption.
Thesesettingareactiveonlywhenthedecryptionprofileis
attachedtoadecryptionpolicyrulethatdisablesdecryptionfor
certaintraffic.
Step6
(Optional)BlockandcontrolSSHtraffic SelectSSH Proxyandconfiguresettingstoenforcesupported

undergoingSSHProxydecryption.
protocolversionsand
Thesesettingsareactiveonlywhenthedecryptionprofileis
attachedtoadecryptionpolicyrulethatdecryptsSSHtraffic.
Step7
Addthedecryptionprofileruletoa
1.
decryptionpolicyrule.
Trafficthatthepolicyrulesmatchestois 2.
enforcedbasedontheadditionalprofile
rulesettings.
3.
Step8
SelectPolicies > DecryptionandCreateaDecryptionPolicy

Ruleormodifyanexistingrule.
SelectOptions andselectaDecryption Profiletoblockand
controlvariousaspectsofthetrafficmatchedtotherule.
Theprofilerulesettingsthatareappliedtomatchingtraffic
dependonthepolicyruleAction(DecryptorNoDecrypt)and
thepolicyruleType(SSLForwardProxy,SSLInbound
Inspection,orSSHProxy).Thisallowsyoutousethedefault
decryptionprofile,standarddecryptionprofilecustomizedfor
yourorganization,withdifferenttypesofdecryptionpolicy
rules.
ClickOK.
Committheconfiguration.
Decryption
CreateaDecryptionPolicyRule
Createadecryptionpolicyruletodefinetrafficforthefirewalltodecryptandthetypeofdecryptionyou
wantthefirewalltoperform:SSLForwardProxy,SSLInboundInspection,orSSHProxydecryption.Youcan
alsouseadecryptionpolicyruletodefineDecryptionExceptions.
ConfigureaDecryptionPolicyRule
Step1
SelectPolicies > DecryptionandAddanewdecryptionpolicyrule.
Step2
GivethepolicyruleadescriptiveName.
Step3
Configurethedecryptionruletomatchtotrafficbasedonnetworkandpolicyobjects:
FirewallsecurityzonesSelectSourceand/orDestinationandmatchtotrafficbasedontheSource Zone
and/ortheDestination Zone.
IPaddresses,addressobjects,and/oraddressgroupsSelectSourceand/orDestination tomatchtotraffic
basedonSource Addressand/ortheDestination Address.Alternatively,selectNegatetoexcludethe
sourceaddresslistfromdecryption.
UsersSelectSourceandsettheSource Userforwhomtodecrypttraffic.Youcandecryptspecificuser
orgrouptraffic,ordecrypttrafficforcertaintypesofusers,suchasunknownusersorprelogonusers
(usersthatareconnectedtoGlobalProtectbutarenotyetloggedin).
PortsandprotocolsSelectService/URL Categorytosettheruletomatchtotrafficbasedonservice.By
default,thepolicyruleissettodecryptAnytrafficonTCPandUDPports.YoucanAddaserviceora
servicegroup,andoptionallysettheruleto application-defaulttomatchtoapplicationsonlyonthe
applicationdefaultports.
TheapplicationdefaultsettingisusefultoConfigureDecryptionExceptions.Youcanexclude
applicationsrunningontheirdefaultportsfromdecryption,whilecontinuingtodecryptthesame
applicationswhentheyaredetectedonnonstandardports
URLsandURLcategoriesSelectService/URLCategoryanddecrypttrafficbasedon:
AnexternallyhostedlistofURLsthatthefirewallretrievesforpolicyenforcement(seeObjects >
External Dynamic Lists).
CustomURLcategories(seeObjects > Custom Objects > URL Category).
PaloAltoNetworksURLcategories.ThisoptionisusefultoConfigureDecryptionExceptions.For
example,youcouldcreateacustomURLcategorytogroupsitesthatyoudonotwanttodecrypt,oryou
couldexcludefinancialorhealthcarerelatedsitesfromdecryptionbasedonthePaloAltoNetworks
URLcategories.
Step4
Settheactionthepolicyruleenforceson SelectOptionsandsetthepolicyruleAction:
matchingtraffic:therulecaneither
Decryptmatchingtraffic:
decryptmatchingtrafficorexclude
1. SelectDecrypt.
matchingtrafficfromdecryption.
2. SettheType ofdecryptionforthefirewalltoperformon
matchingtraffic:
SSLForwardProxy
SSHProxy
SSLInboundInspection.IfyouwanttoenableSSLInbound
Inspection,alsoselectthe Certificate forthedestination
internalserverfortheinboundSSLtraffic.
Excludematchingtrafficfromdecryption:
SelectNo Decrypt.
Step5
(Optional)SelectaDecryption Profiletoapplytheprofilesettingstodecryptedtraffic.(ToCreatea
DecryptionProfile,selectObjects > Decryption Profile).
Decryption
ConfigureaDecryptionPolicyRule
Step6
ClickOKtosavethepolicy.
NextSteps...
Fullyenablethefirewalltodecrypttraffic:
ConfigureSSHProxy
Decryption
ToenablethefirewalltoperformSSLForwardProxydecryption,youmustsetupthecertificatesrequired
toestablishthefirewallasatrustedthirdpartytothesessionbetweentheclientandtheserver.Thefirewall
canuseselfsignedcertificatesorcertificatessignedbyanenterprisecertificateauthority(CA)asforward
trustcertificatestoauthenticatetheSSLsessionwiththeclient.
(Recommended)EnterpriseCAsignedCertificates
AnenterpriseCAcanissueasigningcertificatewhichthefirewallcanusetosignthecertificatesforsites
requiringSSLdecryption.WhenthefirewalltruststheCAthatsignedthecertificateofthedestination
server,thefirewallcanthensendacopyofthedestinationservercertificatetotheclientsignedbythe
enterpriseCA.
SelfsignedCertificates
WhenaclientconnectstoaserverwithacertificatethatissignedbyaCAthatthefirewalltrusts,the
firewallcansignacopyoftheservercertificatetopresenttotheclientandestablishtheSSLsession.You
canuseselfsignedcertificatesforSSLForwardProxydecryptionifyourorganizationdoesnothavean
enterpriseCAorifyouintendtoonlyperformdecryptionforalimitednumberofclients.
Additionally,setupaforwarduntrustcertificateforthefirewalltopresenttoclientswhentheserver
certificateissignedbyaCAthatthefirewalldoesnottrust.Thisensuresthatclientsarepromptedwitha
certificatewarningwhenattemptingtoaccesssiteswithuntrustedcertificates.
AftersettinguptheforwardtrustandforwarduntrustcertificatesrequiredforSSLForwardProxy
decryption,addadecryptionpolicyruletodefinethetrafficyouwantthefirewalltodecrypt.SSLtunneled
trafficmatchedtothedecryptionpolicyruleisdecryptedtocleartexttraffic.Thecleartexttrafficisblocked
andrestrictedbasedonthedecryptionprofileattachedtothepolicyandthefirewallsecuritypolicy.Traffic
isreencryptedasitexitsthefirewall.
Step1
Ensurethattheappropriateinterfaces
areconfiguredaseithervirtualwire,
Layer2,orLayer3interfaces.
ViewconfiguredinterfacesontheNetwork > Interfaces > Ethernet

tab.TheInterface Typecolumndisplaysifaninterfaceisconfigured
tobeaVirtual WireorLayer 2,or Layer 3interface.Youcanselect
aninterfacetomodifyitsconfiguration,includingwhattypeof
interfaceitis.
Step2
Configuretheforwardtrustcertificateforthefirewalltopresenttoclientswhentheservercertificateissigned
byatrustedCA:
(Recommended)UseanenterpriseCAsignedcertificateastheforwardtrustcertificate.
Useaselfsignedcertificateastheforwardtrustcertificate.
Decryption
ConfigureSSLForwardProxy(Continued)
(Recommended)Useanenterprise
CAsignedcertificateastheforward
trustcertificate.
1.
GenerateaCertificateSigningRequest(CSR)fortheenterprise
CAtosignandvalidate:
a. SelectDevice > Certificate Management > Certificatesand
clickGenerate.
b. EnteraCertificate Name, suchasmyfwdproxy.
c. IntheSigned Bydropdown,selectExternal Authority
(CSR).
d. (Optional)IfyourenterpriseCArequiresit,addCertificate
Attributestofurtheridentifythefirewalldetails,suchas
CountryorDepartment.
e. ClickOKtosavetheCSR.Thependingcertificateisnow
displayedontheDevice Certificatestab.
2.
ExporttheCSR:
a. SelectthependingcertificatedisplayedontheDevice
Certificatestab.
b. ClickExport todownloadandsavethecertificatefile.
LeaveExport private keyunselectedinordertoensure
thattheprivatekeyremainssecurelyonthefirewall.
c. ClickOK.
3.
ProvidethecertificatefiletoyourenterpriseCA.Whenyou
receivetheenterpriseCAsignedcertificatefromyour
enterpriseCA,savetheenterpriseCAsignedcertificatefor
importontothefirewall.
4.
ImporttheenterpriseCAsignedcertificateontothefirewall:
a. SelectDevice > Certificate Management > Certificatesand
clickImport.
b. EnterthependingCertificate Nameexactly(inthiscase,
myfwdtrust).TheCertificate Namethatyouentermust
exactlymatchthependingcertificatenameinorderforthe
pendingcertificatetobevalidated.
c. SelectthesignedCertificate Filethatyoureceivedfrom
yourenterpriseCA.
d. ClickOK.ThecertificateisdisplayedasvalidwiththeKey
andCAcheckboxesselected.
5.
Selectthevalidatedcertificate,inthiscase,myfwdproxy,to
enableitasaForward Trust CertificatetobeusedforSSL
ForwardProxydecryption.
6.
ClickOKtosavetheenterpriseCAsignedforwardtrust
certificate.
Decryption
Useaselfsignedcertificateasthe
forwardtrustcertificate.
Step3
Distributetheforwardtrustcertificateto
clientsystemcertificatestores.
Ifyoudonotinstalltheforward
trustcertificateonclient
systems,userswillseecertificate
warningsforeachSSLsitethey
visit.
Ifyouareusingan
enterpriseCAsignedcertificate
astheforwardtrustcertificate
forSSLForwardProxy
decryption,andtheclient
systemsalreadyhavethe
enterpriseCAaddedtothelocal
trustedrootCAlist,youcanskip
thisstep.
1.
Generateanewcertificate:
a. SelectDevice > Certificate Management > Certificates.
b. ClickGenerateatthebottomofthewindow.
c. EnteraCertificate Name, suchasmyfwdtrust.
d. EnteraCommon Name, suchas192.168.2.1.Thisshouldbe
theIPorFQDNthatwillappearinthecertificate.Inthis
case,weareusingtheIPofthetrustinterface.Avoidusing
spacesinthisfield.
e. LeavetheSigned Byfieldblank.
f. ClicktheCertificate Authoritycheckboxtoenablethe
firewalltoissuethecertificate.Selectingthischeckbox
createsacertificateauthority(CA)onthefirewallthatis
importedtotheclientbrowsers,soclientstrustthefirewall
asaCA.
g. Generatethecertificate.
2.
Clickthenewcertificatemyfwdtrusttomodifyitandenable
thecertificatetobeaForward Trust Certificate.
3.
ClickOKtosavetheselfsignedforwardtrustcertificate.
OnafirewallconfiguredasaGlobalProtectportal:
ThisoptionissupportedwithWindowsandMacclientOS
versions,andrequiresGlobalProtectagent3.0.0orlaterto
beinstalledontheclientsystems.
1.
SelectNetwork > GlobalProtect > Portalsandthenselectan

existingportalconfigurationorAddanewone.
2.
SelectAgent andthenselectanexistingagentconfigurationor
Addanewone.
3.
AddtheSSLForwardProxyforwardtrustcertificatetothe
TrustedRootCAsection.
4.
Install in Local Root Certificate Storesothatthe

GlobalProtectportalautomaticallydistributesthecertificate
andinstallsitinthecertificatestoreonGlobalProtectclient
systems.
5.
ClickOKtwice.
WithoutGlobalProtect:
Exporttheforwardtrustcertificateforimportintoclientsystems
byhighlightingthecertificateandclickingExportatthebottomof
thewindow.ChoosePEMformat,anddonotselecttheExport
private keyoption.importitintothebrowsertrustedrootCAlist
ontheclientsystemsinorderfortheclientstotrustit.When
importingtotheclientbrowser,ensurethecertificateisaddedto
theTrustedRootCertificationAuthoritiescertificatestore.On
Windowssystems,thedefaultimportlocationisthePersonal
certificatestore.Youcanalsosimplifythisprocessbyusinga
centralizeddeployment,suchasanActiveDirectoryGroupPolicy
Object(GPO).
Decryption
Step4
Configuretheforwarduntrust
certificate.
1.
ClickGenerateatthebottomofthecertificatespage.
2.
EnteraCertificate Name,suchasmyfwduntrust.
3.
SettheCommon Name,forexample192.168.2.1.Leave
Signed Byblank.
4.
ClicktheCertificate Authoritycheckboxtoenablethefirewall
toissuethecertificate.
5.
ClickGeneratetogeneratethecertificate.
6.
ClickOKtosave.
7.
Clickthenewmysslfwuntrustcertificatetomodifyitand
enablethe Forward Untrust Certificateoption.
Donotexporttheforwarduntrustcertificatefor
importintoclientsystems.Iftheforwardtrust
certificateisimportedonclientsystems,theuserswill
notseecertificatewarningsforSSLsiteswith
untrustedcertificates.
8.
ClickOKtosave.
ConfiguretheKeySizeforSSLForwardProxyServerCertificates.
Step5
(Optional)SetthekeysizeoftheSSL
ForwardProxycertificatesthatthe
firewallpresentstoclients.Bydefault,
thefirewalldeterminesthekeysizeto
usebasedonthekeysizeofthe
destinationservercertificate.
Step6
CreateaDecryptionPolicyRuletodefine 1.
trafficforthefirewalltodecrypt.
Step7
Step8
(Optional)Allowthefirewalltoforward
decryptedtrafficforWildFireanalysis.
Thisoptionrequiresanactive
WildFirelicense.Getstartedwith
WildFiretodecidewhatWildFire
deploymentworksforyouandto
enablefileforwardingand
signatureprotection.
SelectPolicies > Decryption,Addormodifyanexistingrule,

anddefinetraffictobedecrypted.
2.
SelectOptions and:
SettheruleActiontoDecryptmatchingtraffic.
SettheruleTypetoSSL Forward Proxy.
(Optional)SelectaDecryption Profiletoblockandcontrol
variousaspectsofthedecryptedtraffic(forexample,Create
aDecryptionProfiletoperformcertificatechecksand
enforcestrongciphersuitesandprotocolversions).
3.
ClickOK tosave.
Onasinglefirewall:
1.
SelectDevice > Setup > Content-ID.
2.
EdittheURLFilteringoptionstoAllow Forwarding of
Decrypted Content.
3.
ClickOK.
Onafirewallwithvirtualsystemsconfigured:
1.
SelectDevice > Virtual Systems.
2.
Clickthevirtualsystemyouwanttomodify,andselectAllow
Forwarding of Decrypted Content.
3.
ClickOK.
Decryption
NextSteps...
EnableUserstoOptOutofSSLDecryption.
ConfigureDecryptionExceptionstodisabledecryptionfor
certaintypesoftraffic.
Decryption
UseSSLInboundInspectiontodecryptandinspectinboundSSLtrafficdestinedforanetworkserver(you
canperformSSLInboundInspectionforanyserverifyouhavetheservercertificate).WithanSSLInbound
Inspectiondecryptionpolicyenabled,allSSLtrafficidentifiedbythepolicyisdecryptedtocleartexttraffic
andinspected.Thecleartexttrafficisblockedandrestrictedbasedonthedecryptionprofileattachedtothe
policyandanyconfiguredAntivirus,Vulnerability,AntiSpyware,URLFilteringandFileBlockingprofiles.
Youcanalsoenablethefirewalltoforwarddecrypted,unknownfilesforWildFireanalysisandsignature
generation.Trafficisreencryptedasitexitsthefirewall.
ConfiguringSSLInboundInspectionincludesinstallingthetargetedservercertificateonthefirewalland
creatinganSSLInboundInspectiondecryptionpolicy.
Step1

tobeaVirtual WireorLayer 2,or Layer 3interface.Youcanselect
interfaceitis.
Step2
Ensurethatthetargetedserver
certificateisinstalledonthefirewall.
Onthewebinterface,selectDevice > Certificate Management >

Certificates > Device Certificatestoviewcertificatesinstalledon
thefirewall.
Toimportthetargetedservercertificateontothefirewall:
Step3
1.
OntheDevice Certificatestab,selectImport.
2.
Enteradescriptive Certificate Name.
3.
BrowseforandselectthetargetedserverCertificate File.
4.
ClickOK.

2.
SelectOptions and:
SettheruleTypetoSSL Inbound Inspection.
SelecttheCertificatefortheinternalserverthatisthe
destinationoftheinboundSSLtraffic.
aDecryptionProfiletoterminatesessionsifsystem
resourcesarenotavailabletoprocessdecryption).
3.
ClickOK tosave.
Decryption
Step4
Step5
Onasinglefirewall:
1.
2.
Decrypted Content.
3.
ClickOK.
1.
2.
3.
ClickOK.
NextSteps...
EnableUserstoOptOutofSSLDecryption.
ConfigureDecryptionExceptionstodisabledecryptionfor
certaintypesoftraffic.
ConfigureSSHProxy
Decryption
ConfigureSSHProxy
ConfiguringSSHProxydoesnotrequirecertificatesandthekeyusedtodecryptSSHsessionsisgenerated
automaticallyonthefirewallduringbootup.
WithSSHdecryptionenabled,allSSHtrafficidentifiedbythepolicyisdecryptedandidentifiedaseither
regularSSHtrafficorasSSHtunneledtraffic.SSHtunneledtrafficisblockedandrestrictedaccordingtothe
profilesconfiguredonthefirewall.Trafficisreencryptedasitexitsthefirewall.
ConfigureSSHProxyDecryption
Step1
Decryptioncanonlybeperformedon
virtualwire,Layer 2,orLayer3
interfaces.
Step2
Step3
Step4

tobeaVirtual WireorLayer 2,orLayer 3interface.Youcanselect
interfaceitis.
2.
SelectOptions and:
SettheruleTypetoSSH Proxy.
aDecryptionProfiletoterminatesessionsifsystem
resourcesarenotavailabletoprocessdecryption).
3.
ClickOK tosave.
Onasinglefirewall:
1.
2.
Decrypted Content.
3.
ClickOK.
1.
2.
3.
ClickOK.
NextStep...
ConfigureDecryptionExceptionstodisabledecryptionforcertain
typesoftraffic.
Decryption
Youcanpurposefullyexcludetrafficfromdecryptionbasedonsource,destination,URLcategory,and
service(portsandprotocols).Youcanalsoexcludeaspecificserverfromdecryption.Seethefollowingtopics
toconfigureDecryptionExceptions:
ExcludeTrafficfromDecryption
ExcludeaServerfromDecryption
ExcludeTrafficfromDecryption
Toexcludetrafficfromdecryption,createadecryptionpolicyruleandsetthepolicyactiontoNo Decrypt.
Excludetrafficfromdecryptionbasedonapplication,source,destination,URLcategory,andservice(ports
andprotocols).Becausepolicyrulesarecomparedagainstincomingtrafficinsequence,makesurethata
decryptionexclusionruleislistedfirstinyourdecryptionpolicy.
ExcludeTrafficfromaDecryptionPolicy
Step1
Step2
Excludetrafficfromdecryptionbased
matchcriteria.
Thisexampleshowshowtoexclude
trafficcategorizedasfinancialor
healthrelatedfromSSLForwardProxy
decryption.
1.
SelectPolicies > Decryptionandmodify or Create a

Decryption Policy rule.
2.
Definethetrafficthatyouwanttoexcludefromdecryption.
Inthisexample:
a. GivetheruleadescriptiveName,suchas
NoDecryptFinanceHealth.
b. SettheSource andDestinationtoAnytoapplythe
NoDecryptFinanceHealthruletoallSSLtrafficdestined
foranexternalserver.
c. SelectURL CategoryandAddtheURLcategories
financialservicesandhealthandmedicine.
3.
SelectOptionsandsettheruletoNo Decrypt.
4.
(Optional)Youcanstilluseadecryptionprofiletovalidate
certificatesforsessionsthefirewalldoesnotdecrypt.Attacha
decryptionprofiletotherulethatissettoBlock sessions with
expired certificatesand/orBlock sessions with untrusted
issuers.
5.
ClickOKtosavetheNoDecryptFinanceHealthdecryption
rule.
Placethedecryptionexclusionruleatthe OntheDecryption > Policiespage,selectthepolicy

NoDecryptFinanceHealth,andclickMove Upuntilitappearsat
topofyourdecryptionpolicy.
thetopofthelist(oryoucandraganddroptherule).
Decryptionrulesareenforcedagainst
incomingtrafficinsequenceandthefirst
ruletomatchtotrafficisenforced
movingtheNo Decryptruletothetopof
therulelistensuresthatthetraffic
matchedtotheruleremainsencrypted,
evenifthetrafficislatermatchedto
otherdecryptionrules.
Decryption
ExcludeTrafficfromaDecryptionPolicy
Step3
Commit theconfiguration.
YoucanexcludeservertrafficfromSSLdecryptionbasedonthecommonname(CN)intheservercertificate.
Forexample,ifyouhaveSSLdecryptionenabled,youcouldconfigureadecryptionexceptionfortheserver
onyourcorporatenetworkthathoststhewebservicesforyourHRsystems.
Step1
Importthetargetedservercertificateontothefirewall:
1. OntheDevice > Certificate Management > Certificates > Device Certificatestab,selectImport.
2. Enteradescriptive Certificate Name.
3. BrowseforandselectthetargetedserverCertificate File.
4. ClickOK.
Step2
SelectthetargetedservercertificateontheDevice CertificatestabandenableittobeanSSL Exclude

Certificate.
WhenthetargetedservercertificateisdesignatedasanSSLExcludeCertificate,thefirewalldoesnotdecrypt
theservertrafficevenifthetrafficmatchesdecryptionpolicyrule.
Decryption
Insomecases,youmightneedtoalertyouruserstothefactthatthefirewallisdecryptingcertainwebtraffic
andallowthemtoterminatesessionsthattheydonotwantinspected.WithSSLOptOutenabled,thefirst
timeauserattemptstobrowsetoanHTTPSsiteorapplicationthatmatchesyourdecryptionpolicy,the
firewalldisplaysaresponsepagenotifyingtheuserthatitwilldecryptthesession.UserscaneitherclickYes
toallowdecryptionandcontinuetothesiteorclickNotooptoutofdecryptionandterminatethesession.
ThechoicetoallowdecryptionappliestoallHTTPSsitesthatuserstrytoaccessforthenext24hours,after
whichthefirewallredisplaystheresponsepage.UserswhooptoutofSSLdecryptioncannotaccessthe
requestedwebpage,oranyotherHTTPSsite,forthenextminute.Aftertheminuteelapses,thefirewall
redisplaystheresponsepagethenexttimetheusersattempttoaccessanHTTPSsite.
ThefirewallincludesapredefinedSSLDecryptionOptoutPagethatyoucanenable.Youcanoptionally
customizethepagewithyourowntextand/orimages.
Step1
(Optional)CustomizetheSSL
DecryptionOptoutPage.
1.
SelectDevice > Response Pages.
2.
SelecttheSSL Decryption Opt-out Pagelink.
3.
SelectthePredefinedpageandclickExport.
4.
UsingtheHTMLtexteditorofyourchoice,editthepage.
5.
Ifyouwanttoaddanimage,hosttheimageonawebserver
thatisaccessiblefromyourendusersystems.
6.
AddalinetotheHTMLtopointtotheimage.Forexample:
<img src="http://cdn.slidesharecdn.com/
Acme-logo-96x96.jpg?1382722588"/>
7.
Savetheeditedpagewithanewfilename.Makesurethatthe
pageretainsitsUTF8encoding.
8.
Backonthefirewall,selectDevice > Response Pages.
9.
SelecttheSSL Decryption Opt-out Pagelink.
10. ClickImportandthenenterthepathandfilenameinthe
Import FilefieldorBrowsetolocatethefile.
11. (Optional)Selectthevirtualsystemonwhichthisloginpage
willbeusedfromtheDestinationdropdownorselectshared
tomakeitavailabletoallvirtualsystems.
12. ClickOKtoimportthefile.
13. SelecttheresponsepageyoujustimportedandclickClose.
Step2
EnableSSLDecryptionOptOut.
1.
OntheDevice > Response Pagespage,clicktheDisabledlink.
2.
SelecttheEnable SSL Opt-out PageandclickOK.
3.
Committhechanges.
Decryption
Step3
VerifythattheOptOutpagedisplays
whenyouattempttobrowsetoasite.
Fromabrowser,gotoanencryptedsitethatmatchesyour
decryptionpolicy.
VerifythattheSSLDecryptionOptoutresponsepagedisplays.
Decryption
BeforeyoucanenableDecryptionMirroring,youmustobtainandinstallaDecryptionPortMirrorlicense.
Thelicenseisfreeofchargeandcanbeactivatedthroughthesupportportalasdescribedinthefollowing
procedure.AfteryouinstalltheDecryptionPortMirrorlicenseandrebootthefirewall,youcanenable
decryptionportmirroring.
Step1
Step2
Requestalicenseforeachfirewallon
whichyouwanttoenabledecryption
portmirroring.
1.
LogintothePaloAltoNetworksCustomerSupportwebsite
andnavigatetotheAssetstab.
2.
Selecttheentryforthefirewallyouwanttolicenseandselect
Actions.
3.
SelectDecryption Port Mirror.Alegalnoticedisplays.
4.
Ifyouareclearaboutthepotentiallegalimplicationsand
requirements,clickI understand and wish to proceed.
5.
ClickActivate.
InstalltheDecryptionPortMirrorlicense 1.
onthefirewall.
2.
Fromthefirewallwebinterface,selectDevice > Licenses.

ClickRetrieve license keys from license server.
3.
Verifythatthelicensehasbeenactivatedonthefirewall.
4.
Rebootthefirewall(Device > Setup > Operations).This

featureisnotavailableforconfigurationuntilPANOS
reloads.
Decryption
ConfigureDecryptionPortMirroring(Continued)
Step3
Enablethefirewalltoforwarddecrypted Onafirewallwithasinglevirtualsystem:
traffic.Superuserpermissionisrequired 1. SelectDevice > Setup > Content - ID.
toperformthisstep.
2. SelecttheAllow forwarding of decrypted contentcheckbox.
3. ClickOKtosave.
Onafirewallwithmultiplevirtualsystems:
Step4
Step5
Step6
Step7
1.
SelectDevice > Virtual System.
2.
SelectaVirtualSystemtoeditorcreateanewVirtualSystem
byselectingAdd.
3.
SelecttheAllow forwarding of decrypted contentcheckbox.
4.
ClickOKtosave.
EnableanEthernetinterfacetobeused 1.
fordecryptionmirroring.
2.
Enablemirroringofdecryptedtraffic.
Attachthedecryptionprofilerule(with
decryptionportmirroringenabled)toa
decryptionpolicyrule.Alltraffic
decryptedbasedonthepolicyruleis
mirrored.
Savetheconfiguration.
SelectNetwork > Interfaces > Ethernet.

SelecttheEthernetinterfacethatyouwanttoconfigurefor
decryptionportmirroring.
3.
SelectDecrypt MirrorastheInterface Type.

ThisinterfacetypewillappearonlyiftheDecryptionPort
Mirrorlicenseisinstalled.
4.
ClickOKtosave.
1.
SelectObjects > Decryption Profile.
2.
SelectanInterfacetobeusedforDecryption Mirroring.
TheInterfacedropdowncontainsallEthernetinterfacesthat
havebeendefinedasthetype:Decrypt Mirror.
3.
Specifywhethertomirrordecryptedtrafficbeforeorafter
policyenforcement.
Bydefault,thefirewallwillmirroralldecryptedtraffictothe
interfacebeforesecuritypolicieslookup,whichallowsyouto
replayeventsandanalyzetrafficthatgeneratesathreator
triggersadropaction.Ifyouwanttoonlymirrordecrypted
trafficaftersecuritypolicyenforcement,selectthe
Forwarded Onlycheckbox.Withthisoption,onlytrafficthat
isforwardedthroughthefirewallismirrored.Thisoptionis
usefulifyouareforwardingthedecryptedtraffictoother
threatdetectiondevices,suchasaDLPdeviceoranother
intrusionpreventionsystem(IPS).
4.
ClickOKtosavethedecryptionprofile.
1.
SelectPolicies > Decryption.
2.
ClickAddtoconfigureadecryptionpolicyorselectanexisting
decryptionpolicytoedit.
3.
IntheOptionstab,selectDecryptandtheDecryption Profile
createdinStep 4.
4.
ClickOKtosavethepolicy.
ClickCommit.
Decryption
InsomecasesyoumaywanttotemporarilydisableSSLdecryption.Forexample,ifyourusersarehaving
problemsaccessinganencryptedsiteorapplication,youmaywanttodisableSSLdecryptioninorderto
troubleshoottheissue.Althoughyoucoulddisabletheassociateddecryptionpolicies,modifyingthepolicies
isaconfigurationchangethatrequiresaCommit.Instead,usethefollowingcommandtotemporarilydisable
SSLdecryptionandthenreenableitafteryoufinishtroubleshooting.Thiscommanddoesnotrequirea
commitanditdoesnotpersistinyourconfigurationafterareboot.
DisableSSLDecryption
set system setting ssl-decrypt skip-ssl-decrypt yes
ReenableSSLDecryption
set system setting ssl-decrypt skip-ssl-decrypt no
Decryption

Section 10

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Section 10

Transféré par

Droits d'auteur :

Formats disponibles

Decryption

Copyright 2007-2015 Palo Alto Networks

Copyright 2007-2015 Palo Alto Networks

Copyright 2007-2015 Palo Alto Networks

Copyright 2007-2015 Palo Alto Networks

TocontrolthetrustedCAsthatyourfirewalltrusts,usetheDevice > Certificate

Copyright 2007-2015 Palo Alto Networks

Copyright 2007-2015 Palo Alto Networks

Copyright 2007-2015 Palo Alto Networks

Copyright 2007-2015 Palo Alto Networks

Copyright 2007-2015 Palo Alto Networks

Copyright 2007-2015 Palo Alto Networks

SelectObjects > Decryption Profile, Addormodifyadecryptionprofilerule,andgivetheruleadescriptive

(Optional)Allowtheprofileruletobe Shared acrosseveryvirtualsystemonafirewalloreveryPanorama

Copyright 2007-2015 Palo Alto Networks

(Optional)Blockandcontroltraffic(for SelectNo Decryptionandconfiguresettingstovalidatecertificates

(Optional)BlockandcontrolSSHtraffic SelectSSH Proxyandconfiguresettingstoenforcesupported

SelectPolicies > DecryptionandCreateaDecryptionPolicy

Copyright 2007-2015 Palo Alto Networks

SelectPolicies > DecryptionandAddanewdecryptionpolicyrule.

Copyright 2007-2015 Palo Alto Networks

Copyright 2007-2015 Palo Alto Networks

ViewconfiguredinterfacesontheNetwork > Interfaces > Ethernet

Copyright 2007-2015 Palo Alto Networks

Copyright 2007-2015 Palo Alto Networks

SelectNetwork > GlobalProtect > Portalsandthenselectan

Install in Local Root Certificate Storesothatthe

Copyright 2007-2015 Palo Alto Networks

SelectPolicies > Decryption,Addormodifyanexistingrule,

SelectDevice > Setup > Content-ID.

SelectDevice > Virtual Systems.

Copyright 2007-2015 Palo Alto Networks

Copyright 2007-2015 Palo Alto Networks

ViewconfiguredinterfacesontheNetwork > Interfaces > Ethernet

Onthewebinterface,selectDevice > Certificate Management >

Enteradescriptive Certificate Name.

SelectPolicies > Decryption,Addormodifyanexistingrule,

Copyright 2007-2015 Palo Alto Networks

SelectDevice > Setup > Content-ID.

SelectDevice > Virtual Systems.

Copyright 2007-2015 Palo Alto Networks

ViewconfiguredinterfacesontheNetwork > Interfaces > Ethernet

SelectDevice > Setup > Content-ID.

SelectDevice > Virtual Systems.

Copyright 2007-2015 Palo Alto Networks

SelectPolicies > Decryptionandmodify or Create a

Placethedecryptionexclusionruleatthe OntheDecryption > Policiespage,selectthepolicy

Copyright 2007-2015 Palo Alto Networks

SelectthetargetedservercertificateontheDevice CertificatestabandenableittobeanSSL Exclude

Copyright 2007-2015 Palo Alto Networks

SelectDevice > Response Pages.

SelecttheSSL Decryption Opt-out Pagelink.

Backonthefirewall,selectDevice > Response Pages.

SelecttheSSL Decryption Opt-out Pagelink.

OntheDevice > Response Pagespage,clicktheDisabledlink.

SelecttheEnable SSL Opt-out PageandclickOK.

Copyright 2007-2015 Palo Alto Networks

Copyright 2007-2015 Palo Alto Networks

SelectDecryption Port Mirror.Alegalnoticedisplays.

Fromthefirewallwebinterface,selectDevice > Licenses.

Rebootthefirewall(Device > Setup > Operations).This

Copyright 2007-2015 Palo Alto Networks

SelectDevice > Virtual System.