How to Configure SSL Decryption
Created On 09/26/18 13:44 PM - Last Modified 04/19/21 21:26 PM
Here are 2 videos to help explain:
Configure SSL Inbound Inspection:
Configure SSL Forward Proxy Detection:
We’ll be covering the following topics:
- What is SSL Decryption?
- Understanding Inbound and Outbound SSL Decryption (SSL Forward Proxy)
- Ensuring the Proper Certificate Authority on the Firewall
- Configuring SSL Decryption Rules
- Enabling SSL Decryption Notification Page (optional)
- Committing Changes and Testing Decryption
What is SSL Decryption?
SSL (Secure Sockets Layer) is a security protocol that encrypts data to help keep information secure while on the internet.
SSL certificates have a key pair: public and private, which work together to establish a connection.
PAN-OS can decrypt and inspect SSL inbound and outbound connections going through the firewall. SSL decryption can occur on interfaces in virtual wire, Layer 2 or Layer 3 mode. The Decryption rulebase is used to configure which traffic to decrypt. In particular, decryption can be based upon URL categories as well as source user and source/target addresses. Once traffic is decrypted, tunneled applications can be detected and controlled, and the decrypted data can be inspected for threats/URL filtering/file blocking/data filtering. Decrypted traffic is never sent off the device.
Inbound SSL Decryption
In the case of inbound SSL decryption, inbound traffic would be destined to an internal Web Server or device. To configure this properly, the administrator imports a copy of the protected server’s certificate and key. When the SSL server certificate is loaded on the firewall, and an SSL decryption policy is configured for the inbound traffic, the device can then decrypt and read the traffic as it forwards it along. No changes are made to the packet data, and the secure channel is built from the client system to the internal server. The firewall can then detect malicious content and control applications running over this secure channel.
Outbound SSL Decryption (SSL Forward Proxy)
In the case of outbound SSL decryption, the firewall proxies outbound SSL connections. For the site the user wishes to visit, the firewall intercepts outbound SSL requests and generates a certificate in real time.The validity date on the PA-generated certificate is taken from the validity date on the real server certificate.
The issuing authority of the PA-generated certificate is the Palo Alto Networks device. If the firewall’s certificate is not part of an existing hierarchy, or is not added to a client’s browser cache, the client then receives a warning message when browsing to a secure site. If the real server certificate has been issued by an authority not trusted by the Palo Alto Networks firewall, then the decryption certificate is issued using a second untrusted CA key. The decryption certificate ensures that the user is warned of subsequent man-in-the-middle attacks occurring.
Ensuring the Proper Certificate Authority on the Firewall and Exporting the CA to Clients
Loading or generating a CA certificate on the Palo Alto Networks firewall is needed, because a Certificate Authority (CA) is required to decrypt traffic properly by generating SSL certificates on the fly. Either create a self-signed CA on the firewall or import a subordinate CA from your own PKI infrastructure. Select Forward Trust Certificate on the certificate that is tied to the Trusted Root CA that hosts trust or will be configured to trust. Given that SSL Certificate providers like Entrust, Verisign, Digicert, and GoDaddy do not sell CAs, they are not supported in SSL Decryption.
Create a separate self-signed CA Certificate and enable the Forward Untrust Certificate flag to make sure the firewall presents clients with a certificate they do not trust when the firewall observes an invalid certificate from the server.
To Generate a Self-Signed Certificate:
- From the firewall GUI, go to Device > Certificates Management > Certificates
- Click Generate at the bottom of the screen
- For Certificate name (which can be anything), we chose ssl-decrypt
- For Common Name, we entered the Firewall's Trusted Internal IP: 172.16.77.1
- Place a check box next to Certificate Authority to create a Certificate Authority and an SSL Certificate signed by the Firewall itself - 172.16.77.1
- If you want this certificate to be good for more than 1 year, please go into the Cryptographic settings, and choose, say, 2 years or 730 days. Now the certificate is good for 2 years
- If you need to place any additional Certificate attributes, you can do so inside the window at the bottom.
- Click Generate, then notice that the Status shows as valid.
- Click ssl-decrypt, then place a check mark next to Forward Trust Certificate, then click OK. Now the certificate can be used for decryption.
- Deploy the certificate in the hosts' Trusted Root CA certificate store.
If a self-signed CA is used, the public CA Certificate must be exported from the firewall, then installed as a Trusted Root CA on each machine’s browser to avoid Untrusted Certificate error messages inside your browser. Normally, network administrators review and use GPO to push this certificate to each workstation.
When it comes to the Forward Untrust Certificate, it is important to have a separate certificate that is outside the chain of trust of the certificate used by the Forward Trust Certificate. The reason for this, is that if the same certificate had both Forward Trust Certificate and Forward Untrust Certificate flags enabled in the same Certificate, the firewall will then always present hosts with a certificate they trust, even when the destination server presented with invalid certificates.
- To manually export the public CA certificate, let’s go back to the Certificates section at Device > Certificate Management > Certificates
- Select the check box next to ssl-decrypt we just created, then select Export at the bottom of the screen
- When the Export Certificate screen displays, uncheck Export private key, as it’s not required
- Keep the format as Base64 Encoded Certificate (PEM) and click OK, no need to enter a password. A copy of cert_ssl-decrypt.crt is downloaded, which now needs to go onto the client machine
Use Google Drive and GPO to push the exported certificate to all your client machines. We recommend GPO, as it allows SSL Decryption to work properly on 'new' machines.
- Place a public CA Certificate onto Google Drive, then access Google Drive from a client machine.
- Download the certificate onto the client machine.
- Install the certificate onto IE or Chrome.
To install the certificate:
- Select the certificate (in Windows, double-click). The Certificate properties are displayed.
- Select Install Certificate. You are prompted about where you’d like to save this certificate.
- Select Place all certificates in the following store, then click browse. We recommend that you choose Trusted Root Certification Authorities, click Next, then Finish. The import was successful is displayed.
- Click OK
Configuring SSL Decryption Rules
These instructions are for setting up Outbound SSL Decryption (SSL Forward Proxy). If you need instructions for setting up Inbound SSL decryption, please see the admin guides (listed below) for instructions.
To set up SSL Decryption rules:
Go to Policies, then Decryption. This is where the rules either allow or decrypt the SSL traffic through the firewall. You can see that I already have two rules in place. One rule is to not decrypt—Do Not Decrypt is the name, and the second one is to decrypt traffic.
The network or security administrator determines what needs to be decrypted. Following are some suggestions for configuring SSL decryption rules:
- Implement rules in a phased approach. Start with specific rules for decryption, then monitor the typical number of SSL connections being decrypted by the device.
- Avoid decrypting the following URL categories, as users may consider this to be an invasion of privacy:
- Also, do not decrypt applications where the server requires client-side certificates (for identification).
- Create a custom URL category inside Objects > Custom Objects, then add at the bottom of the page. Give it a name: Do-Not-Decrypt
- Then add sites you do not want decrypted
- We are placing site-x.com into this URL Category. We are also adding www.site-x.com as well, because even though these look like the same web pages, they are completely different
- Now, place that new URL Category into the Do-Not-Decrypt rule.
If your security policy requires notifying users that their SSL connection will be decrypted, use the response page at Device > Response Pages screen. Click Disabled, then check the Enable SSL Opt-out Page option and click OK.
Committing Changes and Testing Decryption
Commit the changes so we can test the client SSL decryption.
From a client machine:
- Visit any SSL web page and see if the session was decrypted.
- Try to see if twitter.com and facebook.com are showing up decrypted. If you can access the site without issues, then decryption is working properly.
- From the WebGUI, go to traffic logs
- Look for twitter-base and click the Magnifying glass on the left side of the window.
- Under Flags, look for the Decrypted flag on the right, under Flags. The Decrypted flag indicates that SSL Decryption is working as designed.
Then check to see if the logs are recording the sessions being decrypted.
For instructions for generating and importing a certificate from Microsoft Certificate Server, and for more information in text form, please see How to Implement and Test SSL Decryption
For information on the Difference Between SSL Forward-Proxy and Inbound Inspection Decryption Mode: Difference Between SSL Forward Proxy and Inbound Inspection
For additional information on How to Configure SSL Decryption in document form, please see the Admin Guides:
For even more info on SSL Decryption, please visit the SSL decryption resource list, as it has a long list of articles dealing with SSL decryption only.