How to Implement and Test SSL Decryption
PAN-OS can decrypt and inspect inbound and outbound SSL connections going through a Palo Alto Networks firewall. SSL decryption can occur on interfaces in virtual wire, Layer 2, or Layer 3 mode by using the SSL rule base to configure which traffic to decrypt. In particular, decryption can be based upon URL categories, source users, and source/destination IP addresses. Once traffic is decrypted, tunneled applications can be detected and controlled, and the decrypted data can be inspected for threats, URL filtering, file blocking, or data filtering. Decrypted traffic can also be sent off the device by using a Decryption Port mirror (see Configure Decryption Port Mirroring).
- Palo Alto Firewalls.
- Any PAN-OS.
- SSL Decryption.
Inbound SSL Decryption
In the case of inbound traffic to an internal web server or device, the administrator imports a copy of the protected server’s certificate and private key. When the SSL server certificate is loaded on the firewall and an SSL decryption policy is configured for the inbound traffic, the device then decrypts and reads the traffic as it is forwarded. No changes are made to the packet data, and the secure channel is from the client system to the internal server. The firewall can then detect malicious content and control applications running over this secure channel.
Outbound SSL Decryption (SSL Forward Proxy)
In this case, the firewall proxies outbound SSL connections by intercepting outbound SSL requests and generating a certificate on the fly for the site that the user wants to visit. The validity date on the PA-generated certificate is taken from the validity date on the real server certificate.
The issuing authority of the PA-generated certificate is the Palo Alto Networks device. If the firewall’s certificate is not part of an existing hierarchy or is not added to a client’s browser cache, then the client receives a warning when browsing to a secure website. If the real server certificate has been issued by an authority not trusted by the Palo Alto Networks firewall, then the decryption certificate is using a second “untrusted” Certificate Authority (CA) key to ensure the user is warned of any subsequent man-in-the-middle attacks.
For a list of resources about SSL Decryption, please refer to the following Knowledge article:
SSL Decryption Quick Reference - Resources
For more information on supported Cipher Suites for SSL Decryption, please refer to the following: