Académique Documents
Professionnel Documents
Culture Documents
created by nrice on Apr 17, 2010 3:39 PM, last modified by panagent on Mar 13, 2015 12:40 PM
Overview
PAN-OS has the ability to decrypt and inspect SSL connections going through the firewall. Both inbound and
outbound SSL connections can be decrypted and inspected. SSL decryption can occur on interfaces in virtual
wire or Layer 3 mode. The SSL rulebase is used to configure which trac to decrypt. In particular, decryption can
be based upon URL categories as well as source user, and source/target addresses. Once trac is decrypted,
tunneled applications can be detected and controlled, and the decrypted data can be inspected for threats/URL
filtering/file blocking/data filtering. Note that decrypted trac is never sent o of the device.
Step 1: Configure the firewall to handle trac and place it in the network
This document assumes that the Palo Alto Networks firewall is already configured with working Interfaces(Virtual
Wire or Layer 3), Zones, Security Policy and already be passing trac.
https://live.paloaltonetworks.com/docs/DOC-1412 Page 1 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM
In the firewall GUI, go to Device > Certificates. Load or generate a certificate for either inbound inspection, or for
outbound (forward proxy) inspection.
See the screenshot below showing how the "Forward Trust" and "Forward Untrust" certificate
https://live.paloaltonetworks.com/docs/DOC-1412 Page 2 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM
NOTE: If a self-signed CA is used, the public CA Certificate will need to be exported from the Firewall, and
installed as a Trusted Root CA on each machines Browser to avoid Untrusted Certificate error messages inside
your browser. Normally Network Administrators will go through and use GPO to push out this certificate to each
workstation.
Examples of browser errors that can be seen from the browser if the Self Signed CA Certificate is not trusted:
https://live.paloaltonetworks.com/docs/DOC-1412 Page 3 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM
https://live.paloaltonetworks.com/docs/DOC-1412 Page 4 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM
https://live.paloaltonetworks.com/docs/DOC-1412 Page 5 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM
The user can be notified that their SSL connection is going to be decrypted using the response page found
on the Device tab > Response Pages screen. Click "Disabled" and then check the "Enable SSL Opt-out
Page" option and hit OK.
This page can be exported, edited via an html editor, and imported to give company-specific information.
Here is an example of the default page:
Step 5: Testing
To test outbound decryption:
Make sure that in the outbound policy, the action is to alert for any viruses found. Also enable packet
capture on that anti-virus security profile. Commit any changes made.
On a PC internal to the firewall, go to www.eicar.org. In the top-right hand corner:
https://live.paloaltonetworks.com/docs/DOC-1412 Page 6 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM
Go to the Monitor tab > Threat log, and look for the log message that detects the eicar file
Click on the green down arrow in the left-hand column. This brings up a view of the packets that were
captured.
https://live.paloaltonetworks.com/docs/DOC-1412 Page 7 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM
Also, click on the magnifying class in the far left column to see the log detail.
Scroll to the bottom, and look for the field Decrypted. The session was not decrypted:
https://live.paloaltonetworks.com/docs/DOC-1412 Page 8 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM
Go back to the www.eicar.org downloads page. This time use SSL enabled protocol HTTPS to download the
test virus.
Examine the Threat logs. The virus should have been detected, since the SSL connection was decrypted. A
log message that shows Eicar was detected in web browsing on port 443 will be visible.
https://live.paloaltonetworks.com/docs/DOC-1412 Page 9 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM
View the packet capture (optional) by clicking on the green down arrow.
To the left of that log entry, click on the magnifying class. Scroll to the bottom, and look for the field
Decrypted and it should be checked:
https://live.paloaltonetworks.com/docs/DOC-1412 Page 10 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM
To test the no-decrypt rule, first determine what URLs fall into the financial services, shopping, or health and
medicine categories. For BrightCloud, go to http://www.brightcloud.com/testasite.aspx For PAN-DB, use Palo
Alto Networks URL Filtering - Test A Site , and enter a URL to see what the category is.
Once web sites that are classified into categories that will NOT be decrypted are found, use a browser to go to
those sites using https. There should not be a certificate error when going to those sites. The web pages will be
displayed properly. Trac logs will show the sessions on which application SSL going over port 443, as expected
https://live.paloaltonetworks.com/docs/DOC-1412 Page 11 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM
Appendix A
Helpful CLI Commands
To see how many existing SSL decryption sessions are going through the device at this moment:
> debug dataplane pool statistics | match Proxy
Here is output from a PA-2050, where the first command shows 1024 available sessions, and the output of the
second command shows there are 5 SSL sessions being decrypted (10241019=5):
admin@test> debug dataplane pool statistics | match Proxy
[18] Proxy session : 1019/1024 0x7f00723f1ee0
The following is the maximum number of concurrent SSL decrypted sessions in PAN-OS 4.1, 5.0, 6.0 and
6.1(both directions combined):
Hardware SSL Decypted Session Limit
VM-100 1,024 sessions
VM-200 1,024 sessions
VM-300 1,024 sessions
PA-200 1,024 sessions
PA-500 1,024 sessions
PA-2020 1,024 sessions
PA-2050 1,024 sessions
PA-4020 7,936 sessions
PA-4050 23,808 sessions
PA-4060 23,808 sessions
PA-5020 15,872 sessions
PA-5050 47,616 sessions
PA-5060 90,112 sessions
https://live.paloaltonetworks.com/docs/DOC-1412 Page 12 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM
If the limit is reached, all new SSL sessions go through as undecrypted SSL. To drop any new SSL sessions
beyond the session limit of the device:
> set deviceconfig setting ssl-decrypt deny-setup-failure yes
To check if there are any sessions hitting the limit of the device:
> show counter global name proxy_flow_alloc_failure
global untrusted
ssl-decryption x509 certificate
version 2
cert algorithm 4
valid 150310210236Z -- 210522210236Z
cert pki 1
subject: 172.16.77.1
issuer: 172.16.77.1
serial number(9)
00 b6 96 7e c9 99 1f a8 f7 ...~.... .
rsa key size 2048 siglen 2048
basic constraints extension CA 1
vsys : vsys1
https://live.paloaltonetworks.com/docs/DOC-1412 Page 13 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM
For more information on supported Cipher Suites for SSL Decryption, please see:
Inbound SSL Decryption Not Working Due to Unsupported Cipher Suites
Limitations and Recommendations While Implementing SSL Decryption
How to Identify Root Cause for SSL Decryption Failure Issues
NOTE: If you think anything else needs to be added to this document, please comment below.
owner: jdelio
(28 ratings)
27 Comments
https://live.paloaltonetworks.com/docs/DOC-1412 Page 14 of 20