How to Enable/Reset the Opt-Out Page for SSL Decryption

How to Enable/Reset the Opt-Out Page for SSL Decryption

0
Created On 09/25/18 17:52 PM - Last Modified 07/19/22 23:07 PM


Resolution


Overview

This document describes how to enable the opt-out response page to notify users when traffic is inspected or decrypted. The opt-out page can be enabled from the CLI or on the PAN-OS Web GUI. When enabled, the response page below displays once every 24 hours when user traffic is being inspected or decrypted.
notifyuser.JPG

Note: Edit the response page at Device > Response Pages > SSL Decryption Opt-Out Page.

 

Steps

From the CLI

Run the following commands to enable the opt-out page:

  1. > configure
  2. # set deviceconfig setting ssl-decrypt notify-user yes
  3. # commit

 

From the PAN-OS Web GUI

On PAN-OS 6.1, 7.0, 7.1, 8.0:

  1. Go to Device > Response Pages.
  2. Click 'Disabled' for SSL Decryption Opt-out Page.
    sc1.JPG
  3. On the SSL Opt-out Page dialog, check Enable SSL Opt-out Page and Click OK.
    sc2.JPG
  4. Commit the Changes.

 

To verify the setting, run the following CLI command:

> show system setting ssl-decrypt setting

vsys                          : vsys1
Forward Proxy Ready           : yes
Inbound Proxy Ready           : no
Disable ssl                   : no
Disable ssl-decrypt           : no
Notify user                   : yes

Proxy for URL                 : yes
Wait for URL                  : no
Block revoked Cert            : yes
Block timeout Cert            : no
Block unknown Cert            : no
Cert Status Query Timeout     : 5
URL Category Query Timeout    : 5
Use Cert Cache                : yes
Verify CRL                    : no
Verify OCSP                   : no
CRL Status receive Timeout    : 5
OCSP Status receive Timeout   : 5

 

Command to display the the contents of the cache:

> show system setting ssl-decrypt notify-cache

 

Command to reset the cache so the user can be presented with the opt-out page:

> debug dataplane reset ssl-decrypt notify-cache

+ source   source IP address

  <Enter>  Finish input

 

owner: sraghunandan



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLQCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail