Palo Alto Networks Knowledgebase: Limitations and Recommendations While Implementing SSL Decryption

Limitations and Recommendations While Implementing SSL Decryption

17448
Created On 02/07/19 23:56 PM - Last Updated 02/07/19 23:57 PM
Policy
Resolution

Details

SSL Decryption will not work or take effect under the following scenarios:

 

Limitations

  1. Forward proxy decryption does not work with mutual authentication
    1. The server expects user certificate to be presented during handshake, and the Palo Alto Networks firewall does not have access to the user's private key and certificate
  2. The content cannot be decrypted when unsupported protocols or ciphers are used
    1. TLS 1.2 cannot be decrypted before PAN-OS 6.0
    2. Before PAN-OS 6.0 the TLS 1.2 sessions were downgraded to TLS 1.1
    3. The following cipher suites are not supported for decryption:
      AES128-GCM-SHA256
      Note: AES128-GCM-SHA256 is supported in PAN-OS 7.1 and above.
    4. Firewalls do not decrypt sessions where Diffie-Hellman key exchange is used for Forward Proxy Decryption in PAN-OS 7.1 and earlier releases

Recommendations

  1. If there is an enterprise CA in place, use it, since it is trusted
  2. Enable SSL Decryption for a small group of users or a single subnet
  3. Always use URL categories to decrypt selective content, such as social-networking.
  4. In some countries, certain connections cannot be decrypted due to the law, so use URL categories to exclude sensitive categories.

 

The following document contains the list of applications that are excluded from SSL Decryption:List of Applications Excluded from SSL Decryption

 

See Also

Compatibility Matric : Supported Cipher Suites (for PAN-OS 7.1 and 8.0)

SSL Decryption Not Working Due to Unsupported Cipher Suites

How to Implement and Test SSL Decryption

 

owner: dantony



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVUCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language