Tips & Tricks: Cipher suite enforcement in decryption rules
Would you like to have more control over which protocols or algorithms to support and allow? A feature introduced in PAN-OS 7.0 adds the ability to enforce cipher suites and/or protocols as part of the decryption profile. It also adds the option to block expired certificates or server certificates with untrusted issuers without doing SSL decryption.
Decryption profiles are configured in the Objects tab > Decryption profile.
If the user does not create a custom decrpytion profile, then we fall back to the 'default' profile. This profile will be applied to all decryption sessions that do not have a custom profile applied to them. In the screenshot, you will see the values that are configured on the default profile. The values of this default profile cannot be changed:
You can, however, create a custom profile as show in the example below
- Go to the objects tab
- Go to Decryption Profile
- Click Add
- Go to the SSL Decryption tab
- Go to the SSL Protocol Settings
In the profile, you can see the supported Encryption Algorithms and supported Authentication Algorithms. Notice that you can also select the minimum and maximum version of the protocol versions.
- Enforce RC4 stream cipher
Using the above configuration, the firewall will modify the Client Hello to include only the RC4 cipher:
If the server then supports RC4, you can then confirm in your browser that the connection is effectively using RC4 as the encryption algorithm:
- Block all sessions with a protocol version less that TLS 1.2 :
By selecting the minimum version of TLSv1.2 you will immediately notice that certain Encryption Algorithms are disabled (3DES and RC4) as is the Authentication Algorithm MD5.
Also, in this case, you will see that the firewall modifies the Client Hello to include only TLSv1.2 version and ciphers:
Once again your browser will confirm that you are now using TLSv1.2 :
What if the server does not support TLSv1.2?
>> In that case, the server will reply with a handshake failure message as seen below :
In our example, we did not configure to block unsupported protocol versions. Therefore the firewall will insert this session into the exclude cache:
> show system setting ssl-decrypt exclude-cache
VSYS SERVER APP TIMEOUT REASON DECRYPTED_APP PROFILE
1 10.193.91.71:443 ssl 43183 SSL_UNSUPPORTED undecided Custom Profile
The client will try to connect again. This second time, the connection will match the exclude cache and the session passes through the firewall without decryption:
In order to block the above connection, you should configure the option 'Block session with unsupported versions' in the profile.
- Block all SSL sessions which contain untrusted Server certificate without enabling decryption
In this example, select 'Block sessions with untrusted issuers' under the 'No Decryption' tab, then apply the decryption profile to a decryption rule with the 'no-decrypt' action:
Note that these blocked sessions will not show up in the traffic logs. You will see this in the session info:
> show session id 25350
source: 172.19.73.64 [trust-l3]
sport: 61457 dport: 443
state: DISCARD type: FLOW
source: 10.193.91.71 [untrust-l3]
sport: 443 dport: 18929
state: DISCARD type: FLOW
start time : Tue Mar 3 15:30:48 2016
tracker stage firewall : proxy decrypt failure
end-reason : policy-deny
Please leave a comment or a like if you've found this information helpful.