How to Enable/Reset the Opt-Out Page for SSL Decryption
Resolution
Overview
This document describes how to enable the opt-out response page to notify users when traffic is inspected or decrypted. The opt-out page can be enabled from the CLI or on the PAN-OS Web GUI. When enabled, the response page below displays once every 24 hours when user traffic is being inspected or decrypted.
Note: Edit the response page at Device > Response Pages > SSL Decryption Opt-Out Page.
Steps
From the CLI
Run the following commands to enable the opt-out page:
- > configure
- # set deviceconfig setting ssl-decrypt notify-user yes
- # commit
From the PAN-OS Web GUI
On PAN-OS 6.1, 7.0, 7.1, 8.0:
- Go to Device > Response Pages.
- Click 'Disabled' for SSL Decryption Opt-out Page.
- On the SSL Opt-out Page dialog, check Enable SSL Opt-out Page and Click OK.
- Commit the Changes.
To verify the setting, run the following CLI command:
> show system setting ssl-decrypt setting
vsys : vsys1
Forward Proxy Ready : yes
Inbound Proxy Ready : no
Disable ssl : no
Disable ssl-decrypt : no
Notify user : yes
Proxy for URL : yes
Wait for URL : no
Block revoked Cert : yes
Block timeout Cert : no
Block unknown Cert : no
Cert Status Query Timeout : 5
URL Category Query Timeout : 5
Use Cert Cache : yes
Verify CRL : no
Verify OCSP : no
CRL Status receive Timeout : 5
OCSP Status receive Timeout : 5
Command to display the the contents of the cache:
> show system setting ssl-decrypt notify-cache
Command to reset the cache so the user can be presented with the opt-out page:
> debug dataplane reset ssl-decrypt notify-cache
+ source source IP address
<Enter> Finish input
owner: sraghunandan