Professional Documents
Culture Documents
PANOS
Administrators
Guide
Version7.1
ContactInformation
CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactus
AboutthisGuide
ThisguidetakesyouthroughtheconfigurationandmaintenanceofyourPaloAltoNetworksnextgeneration
firewall.Foradditionalinformation,refertothefollowingresources:
ForinformationonhowtoconfigureothercomponentsinthePaloAltoNetworksNextGenerationSecurity
Platform,gototheTechnicalDocumentationportal:https://www.paloaltonetworks.com/documentationor
searchthedocumentation.
Foraccesstotheknowledgebaseandcommunityforums,refertohttps://live.paloaltonetworks.com.
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
ForthemostcurrentPANOSandPanorama7.1releasenotes,goto
https://www.paloaltonetworks.com/documentation/71/panos/panosreleasenotes.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
PaloAltoNetworks,Inc.
www.paloaltonetworks.com
2016PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofourtrademarkscanbefound
athttp://www.paloaltonetworks.com/company/trademarks.html.Allothermarksmentionedhereinmaybetrademarksoftheir
respectivecompanies.
RevisionDate:May9,2016
2 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
PaloAltoNetworksfirewallsprovidethecapabilitytodecryptandinspecttrafficforvisibility,control,and
granularsecurity.DecryptiononaPaloAltoNetworksfirewallincludesthecapabilitytoenforcesecurity
policiesonencryptedtraffic,whereotherwisetheencryptedtrafficmightnotbeblockedandshaped
accordingtoyourconfiguredsecuritysettings.Usedecryptiononafirewalltopreventmaliciouscontent
fromenteringyournetworkorsensitivecontentfromleavingyournetworkconcealedasencryptedtraffic.
EnablingdecryptiononaPaloAltoNetworksfirewallcanincludepreparingthekeysandcertificatesrequired
fordecryption,creatingadecryptionpolicy,andconfiguringdecryptionportmirroring.Seethefollowing
topicstolearnaboutandconfiguredecryption:
DecryptionOverview
DecryptionConcepts
DefineTraffictoDecrypt
ConfigureSSLForwardProxy
ConfigureSSLInboundInspection
ConfigureSSHProxy
ConfigureDecryptionExceptions
EnableUserstoOptOutofSSLDecryption
ConfigureDecryptionPortMirroring
TemporarilyDisableSSLDecryption
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 485
DecryptionOverview
Decryption
DecryptionOverview
SecureSocketsLayer(SSL)andSecureShell(SSH)areencryptionprotocolsusedtosecuretrafficbetween
twoentities,suchasawebserverandaclient.SSLandSSHencapsulatetraffic,encryptingdatasothatitis
meaninglesstoentitiesotherthantheclientandserverwiththekeystodecodethedataandthecertificates
toaffirmtrustbetweenthedevices.TrafficthathasbeenencryptedusingtheprotocolsSSLandSSHcanbe
decryptedtoensurethattheseprotocolsarebeingusedfortheintendedpurposesonly,andnottoconceal
unwantedactivityormaliciouscontent.
PaloAltoNetworksfirewallsdecryptencryptedtrafficbyusingkeystotransformstrings(passwordsand
sharedsecrets)fromciphertexttoplaintext(decryption)andfromplaintextbacktociphertext(reencrypting
trafficasitexitsthefirewall).Certificatesareusedtoestablishthefirewallasatrustedthirdpartyandto
createasecureconnection.SSLdecryption(bothforwardproxyandinboundinspection)requires
certificatestoestablishtrustbetweentwoentitiesinordertosecureanSSL/TLSconnection.Certificates
canalsobeusedwhenexcludingserversfromSSLdecryption.Youcanintegrateahardwaresecuritymodule
(HSM)withafirewalltoenableenhancedsecurityfortheprivatekeysusedinSSLforwardproxyandSSL
inboundinspectiondecryption.TolearnmoreaboutstoringandgeneratingkeysusinganHSMand
integratinganHSMwithyourfirewall,seeSecureKeyswithaHardwareSecurityModule.SSHdecryption
doesnotrequirecertificates.
PaloAltoNetworksfirewalldecryptionispolicybased,andcanbeusedtodecrypt,inspect,andcontrolboth
inboundandoutboundSSLandSSHconnections.Decryptionpoliciesallowyoutospecifytrafficfor
decryptionaccordingtodestination,source,orURLcategoryandinordertoblockorrestrictthespecified
trafficaccordingtoyoursecuritysettings.Thefirewallusescertificatesandkeystodecryptthetraffic
specifiedbythepolicytoplaintext,andthenenforcesAppIDandsecuritysettingsontheplaintexttraffic,
includingDecryption,Antivirus,Vulnerability,AntiSpyware,URLFiltering,WildFireSubmissions,and
FileBlockingprofiles.Aftertrafficisdecryptedandinspectedonthefirewall,theplaintexttrafficis
reencryptedasitexitsthefirewalltoensureprivacyandsecurity.Usepolicybaseddecryptiononthe
firewallto:
Preventmalwareconcealedasencryptedtrafficfrombeingintroducedintoancorporatenetwork.
Preventsensitivecorporateinformationfrommovingoutsidethecorporatenetwork.
Ensuretheappropriateapplicationsarerunningonasecurenetwork.
Selectivelydecrypttraffic;forexample,excludetrafficforfinancialorhealthcaresitesfromdecryption
byconfiguringadecryptionexception.
Thethreedecryptionpoliciesofferedonthefirewall,SSLForwardProxy,SSLInboundInspection,andSSH
Proxy,allprovidemethodstospecificallytargetandinspectSSLoutboundtraffic,SSLinboundtraffic,and
SSHtraffic,respectively.Thedecryptionpoliciesprovidethesettingsforyoutospecifywhattrafficto
decryptandyoucanattachadecryptionprofiletoapolicyruletoapplymoregranularsecuritysettingsto
decryptedtraffic,suchaschecksforservercertificates,unsupportedmodes,andfailures.Thispolicybased
decryptiononthefirewallgivesyouvisibilityintoandcontrolofSSLandSSHencryptedtrafficaccordingto
configurableparameters.
YoucanalsochoosetoextendadecryptionconfigurationonthefirewalltoincludeDecryptionMirroring,
whichallowsfordecryptedtraffictobeforwardedasplaintexttoathirdpartysolutionforadditionalanalysis
andarchiving.
486 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
DecryptionConcepts
DecryptionConcepts
Tolearnaboutkeysandcertificatesfordecryption,decryptionpolicies,anddecryptionportmirroring,see
thefollowingtopics:
KeysandCertificatesforDecryptionPolicies
SSLForwardProxy
SSLInboundInspection
SSHProxy
DecryptionExceptions
DecryptionMirroring
KeysandCertificatesforDecryptionPolicies
Keysarestringsofnumbersthataretypicallygeneratedusingamathematicaloperationinvolvingrandom
numbersandlargeprimes.Keysareusedtotransformotherstringssuchaspasswordsandsharedsecrets
fromplaintexttociphertext(calledencryption)andfromciphertexttoplaintext(calleddecryption).Keyscan
besymmetric(thesamekeyisusedtoencryptanddecrypt)orasymmetric(onekeyisusedforencryption
andamathematicallyrelatedkeyisusedfordecryption).Anysystemcangenerateakey.
X.509certificatesareusedtoestablishtrustbetweenaclientandaserverinordertoestablishanSSL
connection.Aclientattemptingtoauthenticateaserver(oraserverauthenticatingaclient)knowsthe
structureoftheX.509certificateandthereforeknowshowtoextractidentifyinginformationaboutthe
serverfromfieldswithinthecertificate,suchasitsFQDNorIPaddress(calledacommonnameorCNwithin
thecertificate)orthenameoftheorganization,department,orusertowhichthecertificatewasissued.All
certificatesmustbeissuedbyacertificateauthority(CA).AftertheCAverifiesaclientorserver,theCA
issuesthecertificateandsignsitwithaprivatekey.
Withadecryptionpolicyconfigured,asessionbetweentheclientandtheserverisestablishedonlyifthe
firewalltruststheCAthatsignedtheservercertificate.Inordertoestablishtrust,thefirewallmusthavethe
serverrootCAcertificateinitscertificatetrustlist(CTL)andusethepublickeycontainedinthatrootCA
certificatetoverifythesignature.Thefirewallthenpresentsacopyoftheservercertificatesignedbythe
ForwardTrustcertificatefortheclienttoauthenticate.Youcanalsoconfigurethefirewalltousean
enterpriseCAasaforwardtrustcertificateforSSLForwardProxy.Ifthefirewalldoesnothavetheserver
rootCAcertificateinitsCTL,thefirewallwillpresentacopyoftheservercertificatesignedbytheForward
Untrustcertificatetotheclient.TheForwardUntrustcertificateensuresthatclientsarepromptedwitha
certificatewarningwhenattemptingtoaccesssiteshostedbyaserverwithuntrustedcertificates.
Fordetailedinformationoncertificates,seeCertificateManagement.
Table:PaloAltoNetworksFirewallKeysandCertificatesdescribesthedifferentkeysandcertificatesused
byPaloAltoNetworksfirewallsfordecryption.Asabestpractice,usedifferentkeysandcertificatesforeach
usage.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 487
DecryptionConcepts
Decryption
Table:PaloAltoNetworksFirewallKeysandCertificates
Key/CertificateUsage
Description
ForwardTrust
Thecertificatethefirewallpresentstoclientsduringdecryptionifthesitetheclient
isattemptingtoconnecttohasacertificatethatissignedbyaCAthatthefirewall
trusts.ToconfigureaForwardTrustcertificateonthefirewall,seeStep 2inthe
ConfigureSSLForwardProxytask.Bydefault,thefirewalldeterminesthekeysizeto
usefortheclientcertificatebasedonthekeysizeofthedestinationserver.However,
youcanalsosetaspecifickeysizeforthefirewalltouse.SeeConfiguretheKeySize
forSSLForwardProxyServerCertificates.Foraddedsecurity,storetheforwardtrust
certificateonaHardwareSecurityModule(HSM),seeStorePrivateKeysonanHSM.
ForwardUntrust
Thecertificatethefirewallpresentstoclientsduringdecryptionifthesitetheclient
isattemptingtoconnecttohasacertificatethatissignedbyaCAthatthefirewall
doesnottrust.ToconfigureaForwardUntrustcertificateonthefirewall,seeStep 4
intheConfigureSSLForwardProxytask.
SSLExcludeCertificate
CertificatesforserversthatyouwanttoexcludefromSSLdecryption.Forexample,
ifyouhaveSSLdecryptionenabled,buthavecertainserversthatyoudonotwant
includedinSSLdecryption,suchasthewebservicesforyourHRsystems,youwould
importthecorrespondingcertificatesontothefirewallandconfigurethemasSSL
ExcludeCertificates.SeeExcludeaServerfromDecryption.
SSLInboundInspection
ThecertificateusedtodecryptinboundSSLtrafficforinspectionandpolicy
enforcement.Forthisapplication,youwouldimporttheservercertificateforthe
serversforwhichyouareperformingSSLinboundinspection,orstorethemonan
HSM(seeStorePrivateKeysonanHSM).
SSLForwardProxy
UseanSSLForwardProxydecryptionpolicytodecryptandinspectSSL/TLStrafficfrominternalusersto
theweb.SSLForwardProxydecryptionpreventsmalwareconcealedasSSLencryptedtrafficfrombeing
introducedtoyourcorporatenetwork.
WithSSLForwardProxydecryption,thefirewallresidesbetweentheinternalclientandoutsideserver.The
firewallusescertificatestoestablishitselfasatrustedthirdpartytothesessionbetweentheclientandthe
server(Fordetailsoncertificates,seeKeysandCertificatesforDecryptionPolicies).Whentheclientinitiates
anSSLsessionwiththeserver,thefirewallinterceptstheclientSSLrequestandforwardstheSSLrequest
totheserver.Theserverreturnsacertificateintendedfortheclientthatisinterceptedbythefirewall.Ifthe
servercertificateissignedbyaCAthatthefirewalltrusts,thefirewallcreatesacopyoftheservercertificate
signsitwiththefirewallForwardTrustcertificateandsendsthecertificatetotheclient.Iftheserver
certificateissignedbyaCAthatthefirewalldoesnottrust,thefirewallcreatesacopyoftheserver
certificate,signsitwiththeForwardUntrustcertificateandsendsittotheclient.Inthiscase,theclientsees
ablockpagewarningthatthesitetheyreattemptingtoconnecttoisnottrustedandtheclientcanchoose
toproceedorterminatethesession.Whentheclientauthenticatesthecertificate,theSSLsessionis
establishedwiththefirewallfunctioningasatrustedforwardproxytothesitethattheclientisaccessing.
AsthefirewallcontinuestoreceiveSSLtrafficfromtheserverthatisdestinedfortheclient,itdecryptsthe
SSLtrafficintocleartexttrafficandappliesdecryptionandsecurityprofilestothetraffic.Thetrafficisthen
reencryptedonthefirewallandthefirewallforwardstheencryptedtraffictotheclient.
Figure:SSLForwardProxyshowsthisprocessindetail.
488 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
DecryptionConcepts
Figure:SSLForwardProxy
SeeConfigureSSLForwardProxyfordetailsonconfiguringSSLForwardProxy.
SSLInboundInspection
UseSSLInboundInspectiontodecryptandinspectinboundSSLtrafficfromaclienttoatargetedserver(any
serveryouhavethecertificateforandcanimportitontothefirewall).Forexample,ifanemployeeis
remotelyconnectedtoawebserverhostedonthecompanynetworkandisattemptingtoaddrestricted
internaldocumentstohisDropboxfolder(whichusesSSLfordatatransmission),SSLInboundInspectioncan
beusedtoensurethatthesensitivedatadoesnotmoveoutsidethesecurecompanynetworkbyblocking
orrestrictingthesession.
ConfiguringSSLInboundInspectionincludesimportingthetargetedservercertificateandkeyontothe
firewall.Becausethetargetedservercertificateandkeyareimportedonthefirewall,thefirewallisableto
accesstheSSLsessionbetweentheserverandtheclientanddecryptandinspecttraffictransparently,rather
thanfunctioningasaproxy.Thefirewallisabletoapplysecuritypoliciestothedecryptedtraffic,detecting
maliciouscontentandcontrollingapplicationsrunningoverthissecurechannel.
Figure:SSLInboundInspectionshowsthisprocessindetail.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 489
DecryptionConcepts
Decryption
Figure:SSLInboundInspection
SeeConfigureSSLInboundInspectionfordetailsonconfiguringSSLInboundInspection.
SSHProxy
SSHProxyprovidesthecapabilityforthefirewalltodecryptinboundandoutboundSSHconnections
passingthroughthefirewall,inordertoensurethatSSHisnotbeingusedtotunnelunwantedapplications
andcontent.SSHdecryptiondoesnotrequireanycertificatesandthekeyusedforSSHdecryptionis
automaticallygeneratedwhenthefirewallbootsup.Duringthebootupprocess,thefirewallcheckstosee
ifthereisanexistingkey.Ifnot,akeyisgenerated.ThiskeyisusedfordecryptingSSHsessionsforallvirtual
systemsconfiguredonthefirewall.ThesamekeyisalsousedfordecryptingallSSHv2sessions.
InanSSHProxyconfiguration,thefirewallresidesbetweenaclientandaserver.Whentheclientsendsan
SSHrequesttotheserver,thefirewallinterceptstherequestandforwardstheSSHrequesttotheserver.
Thefirewalltheninterceptstheserverresponseandforwardstheresponsetotheclient,establishinganSSH
tunnelbetweenthefirewallandtheclientandanSSHtunnelbetweenthefirewallandtheserver,with
firewallfunctioningasaproxy.Astrafficflowsbetweentheclientandtheserver,thefirewallisableto
distinguishwhethertheSSHtrafficisbeingroutednormallyorifitisusingSSHtunneling(portforwarding).
ContentandthreatinspectionsarenotperformedonSSHtunnels;however,ifSSHtunnelsareidentifiedby
thefirewall,theSSHtunneledtrafficisblockedandrestrictedaccordingtoconfiguredsecuritypolicies.
Figure:SSHProxyDecryptionshowsthisprocessindetail.
490 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
DecryptionConcepts
Figure:SSHProxyDecryption
SeeConfigureSSHProxyfordetailsonconfiguringanSSHProxypolicy.
DecryptionExceptions
Applicationsthatdonotfunctionproperlywhenthefirewalldecryptsthemareautomaticallyexcludedfrom
SSLdecryption.ForacurrentlistofapplicationsthefirewallexcludesfromSSLdecryptionbydefault,see
ListofApplicationsExcludedfromSSLDecryption.
YoucanalsoConfigureDecryptionExceptionstoexcludeapplications,URLcategories,andtargetedserver
trafficfromdecryption:
ExcludecertainURLcategoriesorapplicationsthateitherdonotworkproperlywithdecryptionenabled
orforanyotherreason,includingforlegalorprivacypurposes.Youcanuseadecryptionpolicytoexclude
trafficfromdecryptionbasedonsource,destination,URLcategory,service(portorprotocol),andTCP
portnumbers.Forexample,withSSLdecryptionenabled,youcanchooseURLcategoriestoexclude
trafficthatiscategorizedasfinancialorhealthrelatedfromdecryption.
ExcludeservertrafficfromSSLdecryptionbasedontheCommonName(CN)intheservercertificate.For
example,ifyouhaveSSLdecryptionenabledbuthavecertainserversforwhichyoudonotwantto
decrypttraffic,suchasthewebservicesforyourHRsystems,excludethoseserversfromdecryptionby
importingtheservercertificateontothefirewallandmodifyingthecertificatetobeanSSL Exclude
Certificate.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 491
DecryptionConcepts
Decryption
DecryptionMirroring
Thedecryptionmirroringfeatureprovidesthecapabilitytocreateacopyofdecryptedtrafficfromafirewall
andsendittoatrafficcollectiontoolthatiscapableofreceivingrawpacketcapturessuchasNetWitness
orSoleraforarchivingandanalysis.Thisfeatureisnecessaryfororganizationsthatrequirecomprehensive
datacaptureforforensicandhistoricalpurposesordataleakprevention(DLP)functionality.Decryption
mirroringisavailableonPA7000Series,PA5000SeriesandPA3000Seriesplatformsonlyandrequires
thatafreelicensebeinstalledtoenablethisfeature.
Keepinmindthatthedecryption,storage,inspection,and/oruseofSSLtrafficisgovernedincertain
countriesanduserconsentmightberequiredinordertousethedecryptionmirrorfeature.Additionally,use
ofthisfeaturecouldenablemalicioususerswithadministrativeaccesstothefirewalltoharvestusernames,
passwords,socialsecuritynumbers,creditcardnumbers,orothersensitiveinformationsubmittedusingan
encryptedchannel.PaloAltoNetworksrecommendsthatyouconsultwithyourcorporatecouncilbefore
activatingandusingthisfeatureinaproductionenvironment.
Figure:DecryptionPortMirroringshowstheprocessformirroringdecryptedtrafficandthesection
ConfigureDecryptionPortMirroringdescribeshowtolicenseandenablethisfeature.
Figure:DecryptionPortMirroring
492 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
DefineTraffictoDecrypt
DefineTraffictoDecrypt
Adecryptionpolicyruleallowsyoutodefinetrafficthatyouwantthefirewalltodecrypt,ortodefinetraffic
thatyouwantthefirewalltoexcludefromdecryption.Youcanattachadecryptionprofileruletoa
decryptionpolicyruletomoregranularlycontrolmatchingtraffic.
CreateaDecryptionProfile
CreateaDecryptionPolicyRule
CreateaDecryptionProfile
Adecryptionprofileallowsyoutoperformchecksonbothdecryptedtrafficandtrafficthatyouhave
excludedfromdecryption.Createadecryptionprofileto:
Blocksessionsusingunsupportedprotocols,ciphersuits,orsessionsthatrequireclientauthentication.
Blocksessionsbasedoncertificatestatus,wherethecertificateisexpired,issignedbyanuntrustedCA,
hasextensionsrestrictingthecertificateuse,hasanunknowncertificatestatus,orthecertificatestatus
cantberetrievedduringaconfiguredtimeoutperiod.
Blocksessionsiftheresourcestoperformdecryptionarenotavailableorifahardwaresecuritymodule
isnotavailabletosigncertificates.
Afteryoucreateadecryptionprofile,youcanattachittoadecryptionpolicyrule;thefirewallthenenforces
thedecryptionprofilesettingsontrafficmatchedtothedecryptionpolicyrule.
PaloAltoNetworksfirewallsincludeadefaultdecryptionprofilethatyoucanusetoenforcethebasic
recommendedprotocolversionsandciphersuitesfordecryptedtraffic.
ConfigureaDecryptionProfileRule
Step1
Step2
Step3
(DecryptionMirroringOnly)ToConfigureDecryptionPortMirroring,enableanEthernetInterface forthe
firewalltousetocopyandforwarddecryptedtraffic.
Decryptionmirroringrequiresadecryptionportmirrorlicense.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 493
DefineTraffictoDecrypt
Decryption
ConfigureaDecryptionProfileRule(Continued)
SelectSSL Decryption:
SelectSSL Forward Proxytoconfiguresettingstoverify
certificates,enforceprotocolversionsandciphersuites,and
performfailurechecksonSSLdecryptedtraffic.Thesesettings
areactiveonlywhenthisprofileisattachedtoadecryption
policyrulethatissettoperformSSLForwardProxydecryption.
Select SSL Inbound Inspectiontoconfiguresettingsenforce
protocolversionsandciphersuitesandtoperformfailure
checksoninboundSSLtraffic.Thesesettingsareactiveonly
whenthisprofileisattachedtoadecryptionpolicyrulethatis
settoperformSSLInboundInspection.
Select SSL Protocol Settings toconfigureminimumand
maximumprotocolversionsandkeyexchange,encryption,and
authenticationalgorithmstoenforceforSSLtraffic.These
settingsareactivewhenthisprofileisattachedtodecryption
policyrulesthataresettoperformeitherSSLForwardProxy
decryptionorSSLInboundInspection.
Step4
(Optional)BlockandcontrolSSL
tunneledand/orinboundtraffic
undergoingSSLForwardProxy
decryptionorSSLInboundInspection.
Step5
Step6
Step7
Addthedecryptionprofileruletoa
1.
decryptionpolicyrule.
Trafficthatthepolicyrulesmatchestois 2.
enforcedbasedontheadditionalprofile
rulesettings.
3.
Step8
Committheconfiguration.
494 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
DefineTraffictoDecrypt
CreateaDecryptionPolicyRule
Createadecryptionpolicyruletodefinetrafficforthefirewalltodecryptandthetypeofdecryptionyou
wantthefirewalltoperform:SSLForwardProxy,SSLInboundInspection,orSSHProxydecryption.Youcan
alsouseadecryptionpolicyruletodefineDecryptionExceptions.
ConfigureaDecryptionPolicyRule
Step1
Step2
GivethepolicyruleadescriptiveName.
Step3
Configurethedecryptionruletomatchtotrafficbasedonnetworkandpolicyobjects:
FirewallsecurityzonesSelectSourceand/orDestinationandmatchtotrafficbasedontheSource Zone
and/ortheDestination Zone.
IPaddresses,addressobjects,and/oraddressgroupsSelectSourceand/orDestination tomatchtotraffic
basedonSource Addressand/ortheDestination Address.Alternatively,selectNegatetoexcludethe
sourceaddresslistfromdecryption.
UsersSelectSourceandsettheSource Userforwhomtodecrypttraffic.Youcandecryptspecificuser
orgrouptraffic,ordecrypttrafficforcertaintypesofusers,suchasunknownusersorprelogonusers
(usersthatareconnectedtoGlobalProtectbutarenotyetloggedin).
PortsandprotocolsSelectService/URL Categorytosettheruletomatchtotrafficbasedonservice.By
default,thepolicyruleissettodecryptAnytrafficonTCPandUDPports.YoucanAddaserviceora
servicegroup,andoptionallysettheruleto application-defaulttomatchtoapplicationsonlyonthe
applicationdefaultports.
TheapplicationdefaultsettingisusefultoConfigureDecryptionExceptions.Youcanexclude
applicationsrunningontheirdefaultportsfromdecryption,whilecontinuingtodecryptthesame
applicationswhentheyaredetectedonnonstandardports
URLsandURLcategoriesSelectService/URLCategoryanddecrypttrafficbasedon:
AnexternallyhostedlistofURLsthatthefirewallretrievesforpolicyenforcement(seeObjects >
External Dynamic Lists).
CustomURLcategories(seeObjects > Custom Objects > URL Category).
PaloAltoNetworksURLcategories.ThisoptionisusefultoConfigureDecryptionExceptions.For
example,youcouldcreateacustomURLcategorytogroupsitesthatyoudonotwanttodecrypt,oryou
couldexcludefinancialorhealthcarerelatedsitesfromdecryptionbasedonthePaloAltoNetworks
URLcategories.
Step4
Settheactionthepolicyruleenforceson SelectOptionsandsetthepolicyruleAction:
matchingtraffic:therulecaneither
Decryptmatchingtraffic:
decryptmatchingtrafficorexclude
1. SelectDecrypt.
matchingtrafficfromdecryption.
2. SettheType ofdecryptionforthefirewalltoperformon
matchingtraffic:
SSLForwardProxy
SSHProxy
SSLInboundInspection.IfyouwanttoenableSSLInbound
Inspection,alsoselectthe Certificate forthedestination
internalserverfortheinboundSSLtraffic.
Excludematchingtrafficfromdecryption:
SelectNo Decrypt.
Step5
(Optional)SelectaDecryption Profiletoapplytheprofilesettingstodecryptedtraffic.(ToCreatea
DecryptionProfile,selectObjects > Decryption Profile).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 495
DefineTraffictoDecrypt
Decryption
ConfigureaDecryptionPolicyRule
Step6
ClickOKtosavethepolicy.
NextSteps...
Fullyenablethefirewalltodecrypttraffic:
ConfigureSSLForwardProxy
ConfigureSSLInboundInspection
ConfigureSSHProxy
ConfigureDecryptionExceptions
496 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
ConfigureSSLForwardProxy
ConfigureSSLForwardProxy
ToenablethefirewalltoperformSSLForwardProxydecryption,youmustsetupthecertificatesrequired
toestablishthefirewallasatrustedthirdpartytothesessionbetweentheclientandtheserver.Thefirewall
canuseselfsignedcertificatesorcertificatessignedbyanenterprisecertificateauthority(CA)asforward
trustcertificatestoauthenticatetheSSLsessionwiththeclient.
(Recommended)EnterpriseCAsignedCertificates
AnenterpriseCAcanissueasigningcertificatewhichthefirewallcanusetosignthecertificatesforsites
requiringSSLdecryption.WhenthefirewalltruststheCAthatsignedthecertificateofthedestination
server,thefirewallcanthensendacopyofthedestinationservercertificatetotheclientsignedbythe
enterpriseCA.
SelfsignedCertificates
WhenaclientconnectstoaserverwithacertificatethatissignedbyaCAthatthefirewalltrusts,the
firewallcansignacopyoftheservercertificatetopresenttotheclientandestablishtheSSLsession.You
canuseselfsignedcertificatesforSSLForwardProxydecryptionifyourorganizationdoesnothavean
enterpriseCAorifyouintendtoonlyperformdecryptionforalimitednumberofclients.
Additionally,setupaforwarduntrustcertificateforthefirewalltopresenttoclientswhentheserver
certificateissignedbyaCAthatthefirewalldoesnottrust.Thisensuresthatclientsarepromptedwitha
certificatewarningwhenattemptingtoaccesssiteswithuntrustedcertificates.
AftersettinguptheforwardtrustandforwarduntrustcertificatesrequiredforSSLForwardProxy
decryption,addadecryptionpolicyruletodefinethetrafficyouwantthefirewalltodecrypt.SSLtunneled
trafficmatchedtothedecryptionpolicyruleisdecryptedtocleartexttraffic.Thecleartexttrafficisblocked
andrestrictedbasedonthedecryptionprofileattachedtothepolicyandthefirewallsecuritypolicy.Traffic
isreencryptedasitexitsthefirewall.
ConfigureSSLForwardProxy
Step1
Ensurethattheappropriateinterfaces
areconfiguredaseithervirtualwire,
Layer2,orLayer3interfaces.
Step2
Configuretheforwardtrustcertificateforthefirewalltopresenttoclientswhentheservercertificateissigned
byatrustedCA:
(Recommended)UseanenterpriseCAsignedcertificateastheforwardtrustcertificate.
Useaselfsignedcertificateastheforwardtrustcertificate.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 497
ConfigureSSLForwardProxy
Decryption
ConfigureSSLForwardProxy(Continued)
(Recommended)Useanenterprise
CAsignedcertificateastheforward
trustcertificate.
1.
GenerateaCertificateSigningRequest(CSR)fortheenterprise
CAtosignandvalidate:
a. SelectDevice > Certificate Management > Certificatesand
clickGenerate.
b. EnteraCertificate Name, suchasmyfwdproxy.
c. IntheSigned Bydropdown,selectExternal Authority
(CSR).
d. (Optional)IfyourenterpriseCArequiresit,addCertificate
Attributestofurtheridentifythefirewalldetails,suchas
CountryorDepartment.
e. ClickOKtosavetheCSR.Thependingcertificateisnow
displayedontheDevice Certificatestab.
2.
ExporttheCSR:
a. SelectthependingcertificatedisplayedontheDevice
Certificatestab.
b. ClickExport todownloadandsavethecertificatefile.
LeaveExport private keyunselectedinordertoensure
thattheprivatekeyremainssecurelyonthefirewall.
c. ClickOK.
3.
ProvidethecertificatefiletoyourenterpriseCA.Whenyou
receivetheenterpriseCAsignedcertificatefromyour
enterpriseCA,savetheenterpriseCAsignedcertificatefor
importontothefirewall.
4.
ImporttheenterpriseCAsignedcertificateontothefirewall:
a. SelectDevice > Certificate Management > Certificatesand
clickImport.
b. EnterthependingCertificate Nameexactly(inthiscase,
myfwdtrust).TheCertificate Namethatyouentermust
exactlymatchthependingcertificatenameinorderforthe
pendingcertificatetobevalidated.
c. SelectthesignedCertificate Filethatyoureceivedfrom
yourenterpriseCA.
d. ClickOK.ThecertificateisdisplayedasvalidwiththeKey
andCAcheckboxesselected.
5.
Selectthevalidatedcertificate,inthiscase,myfwdproxy,to
enableitasaForward Trust CertificatetobeusedforSSL
ForwardProxydecryption.
6.
ClickOKtosavetheenterpriseCAsignedforwardtrust
certificate.
498 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
ConfigureSSLForwardProxy
ConfigureSSLForwardProxy(Continued)
Useaselfsignedcertificateasthe
forwardtrustcertificate.
Step3
Distributetheforwardtrustcertificateto
clientsystemcertificatestores.
Ifyoudonotinstalltheforward
trustcertificateonclient
systems,userswillseecertificate
warningsforeachSSLsitethey
visit.
Ifyouareusingan
enterpriseCAsignedcertificate
astheforwardtrustcertificate
forSSLForwardProxy
decryption,andtheclient
systemsalreadyhavethe
enterpriseCAaddedtothelocal
trustedrootCAlist,youcanskip
thisstep.
1.
Generateanewcertificate:
a. SelectDevice > Certificate Management > Certificates.
b. ClickGenerateatthebottomofthewindow.
c. EnteraCertificate Name, suchasmyfwdtrust.
d. EnteraCommon Name, suchas192.168.2.1.Thisshouldbe
theIPorFQDNthatwillappearinthecertificate.Inthis
case,weareusingtheIPofthetrustinterface.Avoidusing
spacesinthisfield.
e. LeavetheSigned Byfieldblank.
f. ClicktheCertificate Authoritycheckboxtoenablethe
firewalltoissuethecertificate.Selectingthischeckbox
createsacertificateauthority(CA)onthefirewallthatis
importedtotheclientbrowsers,soclientstrustthefirewall
asaCA.
g. Generatethecertificate.
2.
Clickthenewcertificatemyfwdtrusttomodifyitandenable
thecertificatetobeaForward Trust Certificate.
3.
ClickOKtosavetheselfsignedforwardtrustcertificate.
OnafirewallconfiguredasaGlobalProtectportal:
ThisoptionissupportedwithWindowsandMacclientOS
versions,andrequiresGlobalProtectagent3.0.0orlaterto
beinstalledontheclientsystems.
1.
2.
SelectAgent andthenselectanexistingagentconfigurationor
Addanewone.
3.
AddtheSSLForwardProxyforwardtrustcertificatetothe
TrustedRootCAsection.
4.
5.
ClickOKtwice.
WithoutGlobalProtect:
Exporttheforwardtrustcertificateforimportintoclientsystems
byhighlightingthecertificateandclickingExportatthebottomof
thewindow.ChoosePEMformat,anddonotselecttheExport
private keyoption.importitintothebrowsertrustedrootCAlist
ontheclientsystemsinorderfortheclientstotrustit.When
importingtotheclientbrowser,ensurethecertificateisaddedto
theTrustedRootCertificationAuthoritiescertificatestore.On
Windowssystems,thedefaultimportlocationisthePersonal
certificatestore.Youcanalsosimplifythisprocessbyusinga
centralizeddeployment,suchasanActiveDirectoryGroupPolicy
Object(GPO).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 499
ConfigureSSLForwardProxy
Decryption
ConfigureSSLForwardProxy(Continued)
Step4
Configuretheforwarduntrust
certificate.
1.
ClickGenerateatthebottomofthecertificatespage.
2.
EnteraCertificate Name,suchasmyfwduntrust.
3.
SettheCommon Name,forexample192.168.2.1.Leave
Signed Byblank.
4.
ClicktheCertificate Authoritycheckboxtoenablethefirewall
toissuethecertificate.
5.
ClickGeneratetogeneratethecertificate.
6.
ClickOKtosave.
7.
Clickthenewmysslfwuntrustcertificatetomodifyitand
enablethe Forward Untrust Certificateoption.
Donotexporttheforwarduntrustcertificatefor
importintoclientsystems.Iftheforwardtrust
certificateisimportedonclientsystems,theuserswill
notseecertificatewarningsforSSLsiteswith
untrustedcertificates.
8.
ClickOKtosave.
ConfiguretheKeySizeforSSLForwardProxyServerCertificates.
Step5
(Optional)SetthekeysizeoftheSSL
ForwardProxycertificatesthatthe
firewallpresentstoclients.Bydefault,
thefirewalldeterminesthekeysizeto
usebasedonthekeysizeofthe
destinationservercertificate.
Step6
CreateaDecryptionPolicyRuletodefine 1.
trafficforthefirewalltodecrypt.
Step7
Step8
(Optional)Allowthefirewalltoforward
decryptedtrafficforWildFireanalysis.
Thisoptionrequiresanactive
WildFirelicense.Getstartedwith
WildFiretodecidewhatWildFire
deploymentworksforyouandto
enablefileforwardingand
signatureprotection.
2.
SelectOptions and:
SettheruleActiontoDecryptmatchingtraffic.
SettheruleTypetoSSL Forward Proxy.
(Optional)SelectaDecryption Profiletoblockandcontrol
variousaspectsofthedecryptedtraffic(forexample,Create
aDecryptionProfiletoperformcertificatechecksand
enforcestrongciphersuitesandprotocolversions).
3.
ClickOK tosave.
Onasinglefirewall:
1.
2.
EdittheURLFilteringoptionstoAllow Forwarding of
Decrypted Content.
3.
ClickOK.
Onafirewallwithvirtualsystemsconfigured:
1.
2.
Clickthevirtualsystemyouwanttomodify,andselectAllow
Forwarding of Decrypted Content.
3.
ClickOK.
Committheconfiguration.
500 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
ConfigureSSLForwardProxy
ConfigureSSLForwardProxy(Continued)
NextSteps...
EnableUserstoOptOutofSSLDecryption.
ConfigureDecryptionExceptionstodisabledecryptionfor
certaintypesoftraffic.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 501
ConfigureSSLInboundInspection
Decryption
ConfigureSSLInboundInspection
UseSSLInboundInspectiontodecryptandinspectinboundSSLtrafficdestinedforanetworkserver(you
canperformSSLInboundInspectionforanyserverifyouhavetheservercertificate).WithanSSLInbound
Inspectiondecryptionpolicyenabled,allSSLtrafficidentifiedbythepolicyisdecryptedtocleartexttraffic
andinspected.Thecleartexttrafficisblockedandrestrictedbasedonthedecryptionprofileattachedtothe
policyandanyconfiguredAntivirus,Vulnerability,AntiSpyware,URLFilteringandFileBlockingprofiles.
Youcanalsoenablethefirewalltoforwarddecrypted,unknownfilesforWildFireanalysisandsignature
generation.Trafficisreencryptedasitexitsthefirewall.
ConfiguringSSLInboundInspectionincludesinstallingthetargetedservercertificateonthefirewalland
creatinganSSLInboundInspectiondecryptionpolicy.
ConfigureSSLInboundInspection
Step1
Ensurethattheappropriateinterfaces
areconfiguredaseithervirtualwire,
Layer2,orLayer3interfaces.
Step2
Ensurethatthetargetedserver
certificateisinstalledonthefirewall.
Step3
1.
OntheDevice Certificatestab,selectImport.
2.
3.
BrowseforandselectthetargetedserverCertificate File.
4.
ClickOK.
CreateaDecryptionPolicyRuletodefine 1.
trafficforthefirewalltodecrypt.
2.
SelectOptions and:
SettheruleActiontoDecryptmatchingtraffic.
SettheruleTypetoSSL Inbound Inspection.
SelecttheCertificatefortheinternalserverthatisthe
destinationoftheinboundSSLtraffic.
(Optional)SelectaDecryption Profiletoblockandcontrol
variousaspectsofthedecryptedtraffic(forexample,Create
aDecryptionProfiletoterminatesessionsifsystem
resourcesarenotavailabletoprocessdecryption).
3.
ClickOK tosave.
502 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
ConfigureSSLInboundInspection
ConfigureSSLInboundInspection
Step4
Step5
(Optional)Allowthefirewalltoforward
decryptedtrafficforWildFireanalysis.
Thisoptionrequiresanactive
WildFirelicense.Getstartedwith
WildFiretodecidewhatWildFire
deploymentworksforyouandto
enablefileforwardingand
signatureprotection.
Onasinglefirewall:
1.
2.
EdittheURLFilteringoptionstoAllow Forwarding of
Decrypted Content.
3.
ClickOK.
Onafirewallwithvirtualsystemsconfigured:
1.
2.
Clickthevirtualsystemyouwanttomodify,andselectAllow
Forwarding of Decrypted Content.
3.
ClickOK.
Committheconfiguration.
NextSteps...
EnableUserstoOptOutofSSLDecryption.
ConfigureDecryptionExceptionstodisabledecryptionfor
certaintypesoftraffic.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 503
ConfigureSSHProxy
Decryption
ConfigureSSHProxy
ConfiguringSSHProxydoesnotrequirecertificatesandthekeyusedtodecryptSSHsessionsisgenerated
automaticallyonthefirewallduringbootup.
WithSSHdecryptionenabled,allSSHtrafficidentifiedbythepolicyisdecryptedandidentifiedaseither
regularSSHtrafficorasSSHtunneledtraffic.SSHtunneledtrafficisblockedandrestrictedaccordingtothe
profilesconfiguredonthefirewall.Trafficisreencryptedasitexitsthefirewall.
ConfigureSSHProxyDecryption
Step1
Ensurethattheappropriateinterfaces
areconfiguredaseithervirtualwire,
Layer2,orLayer3interfaces.
Decryptioncanonlybeperformedon
virtualwire,Layer 2,orLayer3
interfaces.
Step2
CreateaDecryptionPolicyRuletodefine 1.
trafficforthefirewalltodecrypt.
Step3
Step4
(Optional)Allowthefirewalltoforward
decryptedtrafficforWildFireanalysis.
Thisoptionrequiresanactive
WildFirelicense.Getstartedwith
WildFiretodecidewhatWildFire
deploymentworksforyouandto
enablefileforwardingand
signatureprotection.
2.
SelectOptions and:
SettheruleActiontoDecryptmatchingtraffic.
SettheruleTypetoSSH Proxy.
(Optional)SelectaDecryption Profiletoblockandcontrol
variousaspectsofthedecryptedtraffic(forexample,Create
aDecryptionProfiletoterminatesessionsifsystem
resourcesarenotavailabletoprocessdecryption).
3.
ClickOK tosave.
Onasinglefirewall:
1.
2.
EdittheURLFilteringoptionstoAllow Forwarding of
Decrypted Content.
3.
ClickOK.
Onafirewallwithvirtualsystemsconfigured:
1.
2.
Clickthevirtualsystemyouwanttomodify,andselectAllow
Forwarding of Decrypted Content.
3.
ClickOK.
Committheconfiguration.
NextStep...
ConfigureDecryptionExceptionstodisabledecryptionforcertain
typesoftraffic.
504 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
ConfigureDecryptionExceptions
ConfigureDecryptionExceptions
Youcanpurposefullyexcludetrafficfromdecryptionbasedonsource,destination,URLcategory,and
service(portsandprotocols).Youcanalsoexcludeaspecificserverfromdecryption.Seethefollowingtopics
toconfigureDecryptionExceptions:
ExcludeTrafficfromDecryption
ExcludeaServerfromDecryption
ExcludeTrafficfromDecryption
Toexcludetrafficfromdecryption,createadecryptionpolicyruleandsetthepolicyactiontoNo Decrypt.
Excludetrafficfromdecryptionbasedonapplication,source,destination,URLcategory,andservice(ports
andprotocols).Becausepolicyrulesarecomparedagainstincomingtrafficinsequence,makesurethata
decryptionexclusionruleislistedfirstinyourdecryptionpolicy.
ExcludeTrafficfromaDecryptionPolicy
Step1
Step2
Excludetrafficfromdecryptionbased
matchcriteria.
Thisexampleshowshowtoexclude
trafficcategorizedasfinancialor
healthrelatedfromSSLForwardProxy
decryption.
1.
2.
Definethetrafficthatyouwanttoexcludefromdecryption.
Inthisexample:
a. GivetheruleadescriptiveName,suchas
NoDecryptFinanceHealth.
b. SettheSource andDestinationtoAnytoapplythe
NoDecryptFinanceHealthruletoallSSLtrafficdestined
foranexternalserver.
c. SelectURL CategoryandAddtheURLcategories
financialservicesandhealthandmedicine.
3.
SelectOptionsandsettheruletoNo Decrypt.
4.
(Optional)Youcanstilluseadecryptionprofiletovalidate
certificatesforsessionsthefirewalldoesnotdecrypt.Attacha
decryptionprofiletotherulethatissettoBlock sessions with
expired certificatesand/orBlock sessions with untrusted
issuers.
5.
ClickOKtosavetheNoDecryptFinanceHealthdecryption
rule.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 505
ConfigureDecryptionExceptions
Decryption
ExcludeTrafficfromaDecryptionPolicy
Step3
Commit theconfiguration.
ExcludeaServerfromDecryption
YoucanexcludeservertrafficfromSSLdecryptionbasedonthecommonname(CN)intheservercertificate.
Forexample,ifyouhaveSSLdecryptionenabled,youcouldconfigureadecryptionexceptionfortheserver
onyourcorporatenetworkthathoststhewebservicesforyourHRsystems.
ExcludeaServerfromDecryption
Step1
Importthetargetedservercertificateontothefirewall:
1. OntheDevice > Certificate Management > Certificates > Device Certificatestab,selectImport.
2. Enteradescriptive Certificate Name.
3. BrowseforandselectthetargetedserverCertificate File.
4. ClickOK.
Step2
506 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
EnableUserstoOptOutofSSLDecryption
EnableUserstoOptOutofSSLDecryption
Insomecases,youmightneedtoalertyouruserstothefactthatthefirewallisdecryptingcertainwebtraffic
andallowthemtoterminatesessionsthattheydonotwantinspected.WithSSLOptOutenabled,thefirst
timeauserattemptstobrowsetoanHTTPSsiteorapplicationthatmatchesyourdecryptionpolicy,the
firewalldisplaysaresponsepagenotifyingtheuserthatitwilldecryptthesession.UserscaneitherclickYes
toallowdecryptionandcontinuetothesiteorclickNotooptoutofdecryptionandterminatethesession.
ThechoicetoallowdecryptionappliestoallHTTPSsitesthatuserstrytoaccessforthenext24hours,after
whichthefirewallredisplaystheresponsepage.UserswhooptoutofSSLdecryptioncannotaccessthe
requestedwebpage,oranyotherHTTPSsite,forthenextminute.Aftertheminuteelapses,thefirewall
redisplaystheresponsepagethenexttimetheusersattempttoaccessanHTTPSsite.
ThefirewallincludesapredefinedSSLDecryptionOptoutPagethatyoucanenable.Youcanoptionally
customizethepagewithyourowntextand/orimages.
EnableUserstoOptOutofSSLDecryption
Step1
(Optional)CustomizetheSSL
DecryptionOptoutPage.
1.
2.
3.
SelectthePredefinedpageandclickExport.
4.
UsingtheHTMLtexteditorofyourchoice,editthepage.
5.
Ifyouwanttoaddanimage,hosttheimageonawebserver
thatisaccessiblefromyourendusersystems.
6.
AddalinetotheHTMLtopointtotheimage.Forexample:
<img src="http://cdn.slidesharecdn.com/
Acme-logo-96x96.jpg?1382722588"/>
7.
Savetheeditedpagewithanewfilename.Makesurethatthe
pageretainsitsUTF8encoding.
8.
9.
10. ClickImportandthenenterthepathandfilenameinthe
Import FilefieldorBrowsetolocatethefile.
11. (Optional)Selectthevirtualsystemonwhichthisloginpage
willbeusedfromtheDestinationdropdownorselectshared
tomakeitavailabletoallvirtualsystems.
12. ClickOKtoimportthefile.
13. SelecttheresponsepageyoujustimportedandclickClose.
Step2
EnableSSLDecryptionOptOut.
1.
2.
3.
Committhechanges.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 507
EnableUserstoOptOutofSSLDecryption
Decryption
EnableUserstoOptOutofSSLDecryption
Step3
VerifythattheOptOutpagedisplays
whenyouattempttobrowsetoasite.
Fromabrowser,gotoanencryptedsitethatmatchesyour
decryptionpolicy.
VerifythattheSSLDecryptionOptoutresponsepagedisplays.
508 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
ConfigureDecryptionPortMirroring
ConfigureDecryptionPortMirroring
BeforeyoucanenableDecryptionMirroring,youmustobtainandinstallaDecryptionPortMirrorlicense.
Thelicenseisfreeofchargeandcanbeactivatedthroughthesupportportalasdescribedinthefollowing
procedure.AfteryouinstalltheDecryptionPortMirrorlicenseandrebootthefirewall,youcanenable
decryptionportmirroring.
ConfigureDecryptionPortMirroring
Step1
Step2
Requestalicenseforeachfirewallon
whichyouwanttoenabledecryption
portmirroring.
1.
LogintothePaloAltoNetworksCustomerSupportwebsite
andnavigatetotheAssetstab.
2.
Selecttheentryforthefirewallyouwanttolicenseandselect
Actions.
3.
4.
Ifyouareclearaboutthepotentiallegalimplicationsand
requirements,clickI understand and wish to proceed.
5.
ClickActivate.
InstalltheDecryptionPortMirrorlicense 1.
onthefirewall.
2.
3.
Verifythatthelicensehasbeenactivatedonthefirewall.
4.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 509
ConfigureDecryptionPortMirroring
Decryption
ConfigureDecryptionPortMirroring(Continued)
Step3
Enablethefirewalltoforwarddecrypted Onafirewallwithasinglevirtualsystem:
traffic.Superuserpermissionisrequired 1. SelectDevice > Setup > Content - ID.
toperformthisstep.
2. SelecttheAllow forwarding of decrypted contentcheckbox.
3. ClickOKtosave.
Onafirewallwithmultiplevirtualsystems:
Step4
Step5
Step6
Step7
1.
2.
SelectaVirtualSystemtoeditorcreateanewVirtualSystem
byselectingAdd.
3.
4.
ClickOKtosave.
EnableanEthernetinterfacetobeused 1.
fordecryptionmirroring.
2.
Enablemirroringofdecryptedtraffic.
Attachthedecryptionprofilerule(with
decryptionportmirroringenabled)toa
decryptionpolicyrule.Alltraffic
decryptedbasedonthepolicyruleis
mirrored.
Savetheconfiguration.
3.
4.
ClickOKtosave.
1.
2.
SelectanInterfacetobeusedforDecryption Mirroring.
TheInterfacedropdowncontainsallEthernetinterfacesthat
havebeendefinedasthetype:Decrypt Mirror.
3.
Specifywhethertomirrordecryptedtrafficbeforeorafter
policyenforcement.
Bydefault,thefirewallwillmirroralldecryptedtraffictothe
interfacebeforesecuritypolicieslookup,whichallowsyouto
replayeventsandanalyzetrafficthatgeneratesathreator
triggersadropaction.Ifyouwanttoonlymirrordecrypted
trafficaftersecuritypolicyenforcement,selectthe
Forwarded Onlycheckbox.Withthisoption,onlytrafficthat
isforwardedthroughthefirewallismirrored.Thisoptionis
usefulifyouareforwardingthedecryptedtraffictoother
threatdetectiondevices,suchasaDLPdeviceoranother
intrusionpreventionsystem(IPS).
4.
ClickOKtosavethedecryptionprofile.
1.
2.
ClickAddtoconfigureadecryptionpolicyorselectanexisting
decryptionpolicytoedit.
3.
IntheOptionstab,selectDecryptandtheDecryption Profile
createdinStep 4.
4.
ClickOKtosavethepolicy.
ClickCommit.
510 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
TemporarilyDisableSSLDecryption
TemporarilyDisableSSLDecryption
InsomecasesyoumaywanttotemporarilydisableSSLdecryption.Forexample,ifyourusersarehaving
problemsaccessinganencryptedsiteorapplication,youmaywanttodisableSSLdecryptioninorderto
troubleshoottheissue.Althoughyoucoulddisabletheassociateddecryptionpolicies,modifyingthepolicies
isaconfigurationchangethatrequiresaCommit.Instead,usethefollowingcommandtotemporarilydisable
SSLdecryptionandthenreenableitafteryoufinishtroubleshooting.Thiscommanddoesnotrequirea
commitanditdoesnotpersistinyourconfigurationafterareboot.
TemporarilyDisableSSLDecryption
DisableSSLDecryption
ReenableSSLDecryption
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 511
TemporarilyDisableSSLDecryption
Decryption
512 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.