How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM

All Places > Knowledge Base > Documents

How to Implement and Test SSL

Decryption Version 37

created by nrice on Apr 17, 2010 3:39 PM, last modified by panagent on Mar 13, 2015 12:40 PM

Overview
PAN-OS has the ability to decrypt and inspect SSL connections going through the firewall. Both inbound and
outbound SSL connections can be decrypted and inspected. SSL decryption can occur on interfaces in virtual
wire or Layer 3 mode. The SSL rulebase is used to configure which trac to decrypt. In particular, decryption can
be based upon URL categories as well as source user, and source/target addresses. Once trac is decrypted,
tunneled applications can be detected and controlled, and the decrypted data can be inspected for threats/URL
filtering/file blocking/data filtering. Note that decrypted trac is never sent o of the device.

Inbound SSL decryption

In this case, trac would be inbound destined to an internal Web Server or device. In order to configure this
properly, the administrator imports a copy of the protected servers certificate and key. Once the SSL server
certificate is loaded on the firewall, and a SSL decryption policy is configured for the inbound trac, the device
will be able to decrypt and read the trac as it forwards it on. No changes will be made to the packet data, and
the secure channel will be built from the client system to the internal server. The firewall will be able to detect
malicious content and control applications running over this secure channel.

Outbound SSL decryption (called SSL forward proxy)

In this case, the firewall proxies outbound SSL connections. It intercepts the outbound SSL requests and
generates a certificate on the fly, for the site the user wishes to visit. The validity date on the PA-generated
certificate is taken from the validity date on the real server certificate.
The issuing authority of the PA-generated certificate is the Palo Alto Networks device. If the firewalls certificate is
not part of an existing hierarchy, or is not added to a clients browser cache, then the client will receive a warning
message when browsing to a secure site. If the real server certificate has been issued by an authority not trusted
by the Palo Alto Networks firewall, then the decryption certificate will be issued using a second untrusted CA
key. This is to insure that the user will be warned if there are subsequent man-in-the-middle attacks occurring.

The following is an overview of the steps to configure SSL decryption:

1. Configure the firewall to handle trac and place it in the network.
2. Ensure the proper Certificate Authority is on the firewall.
3. Configure SSL decryption rules.
4. Enable SSL decryption notification page (optional).
5. Commit changes, and test decryption.

Step 1: Configure the firewall to handle trac and place it in the network
This document assumes that the Palo Alto Networks firewall is already configured with working Interfaces(Virtual
Wire or Layer 3), Zones, Security Policy and already be passing trac.

https://live.paloaltonetworks.com/docs/DOC-1412 Page 1 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM

Step 2: Loading or Generating a CA certificate on the Palo Alto Networks firewall

Because a Certificate Authority (CA) is required to decrypt trac properly by generating SSL certificates on the fly,
a self-signed CA needs to be created on the Firewall or a Subordinate CA needs to be imported and the "Forward
Trust Certificate" and "Forward Untrust Certificate" need to be selected on 1 or more certificates before the
Firewall is able to decrypt trac.
NOTE: Because SSL Certificate providers like Entrust, Verisign, Digicert and GoDaddy do not sell CA's, they are
not supported for use in SSL Decryption.

In the firewall GUI, go to Device > Certificates. Load or generate a certificate for either inbound inspection, or for
outbound (forward proxy) inspection.

Steps to Generate a Self Signed Certificate

It is recommended to use a Self Signed Certificate. For information on generating a Self Signed Certificate, please
see the following document:
How to Generate a New Self-Signed Certificate

Steps to generate and import a certificate from Microsoft Certificate Server

1. On the Microsoft Certificate Server for your organization, request an advanced certificate using certificate
template subordinate CA. Download the cert.
2. Once the certificate is downloaded, it will need to be exported from the local certificate store. In IE, this is
accomplished by accessing the Internet Options dialog, selecting the Content tab and pressing the
Certificates button. The new certificate should be in the Personal certificate store and can then be exported
from there. The export button will invoke the Certificate Export Wizard. Select to export the private key and
then select the format. A prompt will appear to supply a passphrase and a file name/ location for the
resulting file. The certificate will be in a PFX format (PKCS #12).
3. To extract the certificate, use this openSSL[4] command:
openssl pkcs12 in pfxfilename.pfx out cert.pem nokeys
4. To extract the key, use this openSSL command:
openssl pkcs12 in pfxfilename.pfx out keyfile.pem -nocerts
5. Import the cert.pem file and keyfile.pem file into the Palo Alto Networks firewall on the Device tab >
Certificates screen.
6. In the case of an HA Pair, also load these files into the second Palo Alto Networks firewall, or copy the
certificate and key via the High Availability widget on the dashboard.

See the screenshot below showing how the "Forward Trust" and "Forward Untrust" certificate

https://live.paloaltonetworks.com/docs/DOC-1412 Page 2 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM

NOTE: If a self-signed CA is used, the public CA Certificate will need to be exported from the Firewall, and
installed as a Trusted Root CA on each machines Browser to avoid Untrusted Certificate error messages inside
your browser. Normally Network Administrators will go through and use GPO to push out this certificate to each
workstation.

Examples of browser errors that can be seen from the browser if the Self Signed CA Certificate is not trusted:

Firefox untrusted CA error:

https://live.paloaltonetworks.com/docs/DOC-1412 Page 3 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM

Chrome untrusted CA error:

Internet Explorer untrusted CA error:

https://live.paloaltonetworks.com/docs/DOC-1412 Page 4 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM

Step 3: Configuring SSL decryption rules

It is up to every administrator to determine what does and what does not need to decrypted. Below are some
suggestions for configuring SSL decryption rules:
Implement rules in a phased approach. Start with very specific rules for decryption, and monitor the typical
number of SSL connections being decrypted by the device (refer to Appendix A for those commands).
Avoid decrypting the following URL categories, as users may consider this to be an invasion of privacy:
Financial services
Health-and-medicine
Do not decrypt applications where the server requires client-side certificates(for identification).
You can either block or allow connections requiring client authentication via the decryption profile
feature introduced in PAN-OS 5.0.

Here is an example outbound rulebase that follows the above suggestions:

Step 4: Enable SSL decryption notification web page (optional)

https://live.paloaltonetworks.com/docs/DOC-1412 Page 5 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM

The user can be notified that their SSL connection is going to be decrypted using the response page found
on the Device tab > Response Pages screen. Click "Disabled" and then check the "Enable SSL Opt-out
Page" option and hit OK.

This page can be exported, edited via an html editor, and imported to give company-specific information.
Here is an example of the default page:

Step 5: Testing
To test outbound decryption:
Make sure that in the outbound policy, the action is to alert for any viruses found. Also enable packet
capture on that anti-virus security profile. Commit any changes made.
On a PC internal to the firewall, go to www.eicar.org. In the top-right hand corner:

Click on Download anti-malware testfile.

In the screen that appears, scroll down to the bottom.
Download the eicar test virus using http. Any of the 4 files shown here will be detected.

https://live.paloaltonetworks.com/docs/DOC-1412 Page 6 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM

Go to the Monitor tab > Threat log, and look for the log message that detects the eicar file

Click on the green down arrow in the left-hand column. This brings up a view of the packets that were
captured.

https://live.paloaltonetworks.com/docs/DOC-1412 Page 7 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM

Also, click on the magnifying class in the far left column to see the log detail.

Scroll to the bottom, and look for the field Decrypted. The session was not decrypted:

https://live.paloaltonetworks.com/docs/DOC-1412 Page 8 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM

Go back to the www.eicar.org downloads page. This time use SSL enabled protocol HTTPS to download the
test virus.

Examine the Threat logs. The virus should have been detected, since the SSL connection was decrypted. A
log message that shows Eicar was detected in web browsing on port 443 will be visible.

https://live.paloaltonetworks.com/docs/DOC-1412 Page 9 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM

View the packet capture (optional) by clicking on the green down arrow.

To the left of that log entry, click on the magnifying class. Scroll to the bottom, and look for the field
Decrypted and it should be checked:

https://live.paloaltonetworks.com/docs/DOC-1412 Page 10 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM

Therefore, the virus was successfully detected in an SSL-encrypted session.

To test the no-decrypt rule, first determine what URLs fall into the financial services, shopping, or health and
medicine categories. For BrightCloud, go to http://www.brightcloud.com/testasite.aspx For PAN-DB, use Palo
Alto Networks URL Filtering - Test A Site , and enter a URL to see what the category is.
Once web sites that are classified into categories that will NOT be decrypted are found, use a browser to go to
those sites using https. There should not be a certificate error when going to those sites. The web pages will be
displayed properly. Trac logs will show the sessions on which application SSL going over port 443, as expected

To test inbound decryption:

Examine the trac logs that are dated PRIOR to when SSL is enabled for inbound decryption on the firewall.
Look at trac targeted towards the internal servers. In those logs, the application detected should be ssl,
going over port 443.
From a machine outside of the network, connect via SSL to a server in the DMZ. There will be no certificate
errors, as the connection is not being proxied, just inspected.
Examine the logs for this inbound connection. The applications will not be ssl, but the actual applications
found inside the SSL tunnel. Click on the magnifying glass icon in those log entries to confirm that the
connections were decrypted.

https://live.paloaltonetworks.com/docs/DOC-1412 Page 11 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM

Appendix A
Helpful CLI Commands
To see how many existing SSL decryption sessions are going through the device at this moment:
> debug dataplane pool statistics | match Proxy

Here is output from a PA-2050, where the first command shows 1024 available sessions, and the output of the
second command shows there are 5 SSL sessions being decrypted (10241019=5):
admin@test> debug dataplane pool statistics | match Proxy
[18] Proxy session : 1019/1024 0x7f00723f1ee0

To see the active sessions that have been decrypted:

> show session all filter ssl-decrypt yes state active

The following is the maximum number of concurrent SSL decrypted sessions in PAN-OS 4.1, 5.0, 6.0 and
6.1(both directions combined):
Hardware SSL Decypted Session Limit
VM-100 1,024 sessions
VM-200 1,024 sessions
VM-300 1,024 sessions
PA-200 1,024 sessions
PA-500 1,024 sessions
PA-2020 1,024 sessions
PA-2050 1,024 sessions
PA-4020 7,936 sessions
PA-4050 23,808 sessions
PA-4060 23,808 sessions
PA-5020 15,872 sessions
PA-5050 47,616 sessions
PA-5060 90,112 sessions

https://live.paloaltonetworks.com/docs/DOC-1412 Page 12 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM

PA-7000-20G-NPC 131,072 sessions

PA-7050 786,432 sessions

If the limit is reached, all new SSL sessions go through as undecrypted SSL. To drop any new SSL sessions
beyond the session limit of the device:
> set deviceconfig setting ssl-decrypt deny-setup-failure yes

To check if there are any sessions hitting the limit of the device:
> show counter global name proxy_flow_alloc_failure

To view the SSL decryption certificate:

> show system setting ssl-decrypt certificate

Certificates for Global

SSL Decryption CERT

global trusted
ssl-decryption x509 certificate
version 2
cert algorithm 4
valid 150310210236Z -- 210522210236Z
cert pki 1
subject: 172.16.77.1
issuer: 172.16.77.1
serial number(9)
00 b6 96 7e c9 99 1f a8 f7 ...~.... .
rsa key size 2048 siglen 2048
basic constraints extension CA 1

global untrusted
ssl-decryption x509 certificate
version 2
cert algorithm 4
valid 150310210236Z -- 210522210236Z
cert pki 1
subject: 172.16.77.1
issuer: 172.16.77.1
serial number(9)
00 b6 96 7e c9 99 1f a8 f7 ...~.... .
rsa key size 2048 siglen 2048
basic constraints extension CA 1

To view SSL decryption settings:

> show system setting ssl-decrypt setting

vsys : vsys1

https://live.paloaltonetworks.com/docs/DOC-1412 Page 13 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live 3/24/15, 6:50 AM

Forward Proxy Ready : yes

Inbound Proxy Ready : no
Disable ssl : no
Disable ssl-decrypt : no
Notify user : no
Proxy for URL : no
Wait for URL : no
Block revoked Cert : yes
Block timeout Cert : no
Block unknown Cert : no
Cert Status Query Timeout : 5
URL Category Query Timeout : 5
Fwd proxy server cert's key size: 0
Use Cert Cache : yes
Verify CRL : no
Verify OCSP : no
CRL Status receive Timeout : 5
OCSP Status receive Timeout : 5
Block unknown Cert : no

For a list of resources about SSL Decryption, please see:

SSL Decryption Resources

For more information on supported Cipher Suites for SSL Decryption, please see:
Inbound SSL Decryption Not Working Due to Unsupported Cipher Suites
Limitations and Recommendations While Implementing SSL Decryption
How to Identify Root Cause for SSL Decryption Failure Issues

NOTE: If you think anything else needs to be added to this document, please comment below.

owner: jdelio

53876 Views Categories: Certificates , Policies

Tags: decryption, ssl_decryption_policy, how_to_configure, implement, test_ssl_decryption

Average User Rating

(28 ratings)

27 Comments

https://live.paloaltonetworks.com/docs/DOC-1412 Page 14 of 20