Tips & Tricks: Cipher suite enforcement in decryption rules

Tips & Tricks: Cipher suite enforcement in decryption rules

43759
Created On 09/25/18 18:59 PM - Last Modified 02/08/19 00:07 AM


Resolution

Would you like to have more control over which protocols or algorithms to support and allow? A feature introduced in PAN-OS 7.0 adds the ability to enforce cipher suites and/or protocols as part of the decryption profile. It also adds the option to block expired certificates or server certificates with untrusted issuers without doing SSL decryption.

 

Decryption profiles are configured in the Objects tab > Decryption profile.

 

If the user does not create a custom decrpytion profile, then we fall back to the 'default' profile.  This profile will be applied to all decryption sessions that do not have a custom profile applied to them. In the screenshot, you will see the values that are configured on the default profile. The values of this default profile cannot be changed:

 

default.png

 

You can, however, create a custom profile as show in the example below

 

  1. Go to the objects tab
  2. Go to Decryption Profile
  3. Click Add
  4. Go to the SSL Decryption tab
  5. Go to the SSL Protocol Settings

 

custom_profile.png

 

In the profile, you can see the supported Encryption Algorithms and supported Authentication Algorithms.  Notice that you can also select the minimum and maximum version of the protocol versions.

 

Some examples:

 

  • Enforce RC4 stream cipher

RC4.png

 

Using the above configuration, the firewall will modify the Client Hello to include only the RC4 cipher:

 

client_hello.png

 

RC4-2.png

 

If the server then supports RC4, you can then confirm in your browser that the connection is effectively using RC4 as the encryption algorithm:

 

RC4-3.png

 

  • Block all sessions with a protocol version less that TLS 1.2 :

 

 

By selecting the minimum version of TLSv1.2 you will immediately notice that certain Encryption Algorithms are disabled (3DES and RC4) as is the Authentication Algorithm MD5.

 

Also, in this case, you will see that the firewall modifies the Client Hello to include only TLSv1.2 version and ciphers:

 

tlsversions.png

 

tls12-2.png

 

Once again your browser will confirm that you are now using TLSv1.2 :

 

browserTLS.png 

 

What if the server does not support TLSv1.2?

 

>> In that case, the server will reply with a handshake failure message as seen below :

 

handshake_failure.png

 

In our example, we did not configure to block unsupported protocol versions. Therefore the firewall will insert this session into the exclude cache:

 

> show system setting ssl-decrypt exclude-cache

VSYS SERVER APP TIMEOUT REASON DECRYPTED_APP PROFILE
1 10.193.91.71:443 ssl 43183 SSL_UNSUPPORTED undecided Custom Profile

 

The client will try to connect again. This second time, the connection will match the exclude cache and the session passes through the firewall without decryption:

 

not_decrypted.png

 

In order to block the above connection, you should configure the option 'Block session with unsupported versions' in the profile.

 

  • Block all SSL sessions which contain untrusted Server certificate without enabling decryption

In this example, select 'Block sessions with untrusted issuers' under the 'No Decryption' tab, then apply the decryption profile to a decryption rule with the 'no-decrypt' action:

 

untrusted.png

 

Note that these blocked sessions will not show up in the traffic logs.  You will see this in the session info:

 

> show session id 25350
Session 25350
c2s flow:
source: 172.19.73.64 [trust-l3]
dst: 10.193.91.71
proto: 6
sport: 61457 dport: 443
state: DISCARD type: FLOW
s2c flow:
source: 10.193.91.71 [untrust-l3]
dst: 10.193.91.73
proto: 6
sport: 443 dport: 18929
state: DISCARD type: FLOW
start time : Tue Mar 3 15:30:48 2016
......
tracker stage firewall : proxy decrypt failure
end-reason : policy-deny

 

Please leave a comment or a like if you've found this information helpful.

 

Cheers!

Kim



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSZCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language