

Other users also

How to Implement and Test SSL Decryption viewed:
Created On 09/25/18 17:18 PM - Last Modified 02/10/21 02:37 AM 483396

CLI DECRYPTION POLICY LAYER 2 LAYER 3 POLICY BASED FORWARDING SSH PROXY How to Con gure SSL
Decryption
SSL FORWARD PROXY DECRYPTION POLICY PAN-OS

How to Generate a
Symptom New Self-Signed SSL
Overview Certi cate
PAN-OS can decrypt and inspect inbound and outbound SSL connections going through a Palo
Alto Networks firewall. SSL decryption can occur on interfaces in virtual wire, Layer 2, or Layer 3 Resource List: SSL
mode by using the SSL rule base to configure which traffic to decrypt. In particular, decryption can Decryption
be based upon URL categories, source users, and source/destination IP addresses. Once traffic is Con guring and
Troubleshooting
decrypted, tunneled applications can be detected and controlled, and the decrypted data can be
inspected for threats, URL filtering, file blocking, or data filtering. Decrypted traffic can also be sent
off the device by using a Decryption Port mirror (see Configure Decryption Port Mirroring). How to Identify Root
Cause for SSL
  Decryption Failure
Issues

Difference Between
Environment SSL Forward-Proxy
Palo Alto Firewalls. and Inbound

Feedback
Any PAN-OS. Inspection
SSL Decryption. Decryption Mode

Cause Actions
Inbound SSL Decryption
In the case of inbound traffic to an internal web server or device, the administrator imports a copy  Print
of the protected server’s certificate and private key. When the SSL server certificate is loaded on the
 Copy Link
firewall and an SSL decryption policy is configured for the inbound traffic, the device then decrypts
and reads the traffic as it is forwarded. No changes are made to the packet data, and the secure
channel is from the client system to the internal server. The firewall can then detect malicious
content and control applications running over this secure channel. Attachments

Outbound SSL Decryption (SSL Forward Proxy)

In this case, the firewall proxies outbound SSL connections by intercepting outbound SSL requests Choose Language
and generating a certificate on the fly for the site that the user wants to visit. The validity date on
English
the PA-generated certificate is taken from the validity date on the real server certificate.

The issuing authority of the PA-generated certificate is the Palo Alto Networks device. If the
firewall’s certificate is not part of an existing hierarchy or is not added to a client’s browser cache,
then the client receives a warning when browsing to a secure website. If the real server certificate
has been issued by an authority not trusted by the Palo Alto Networks firewall, then the decryption
certificate is using a second “untrusted” Certificate Authority (CA) key to ensure the user is warned
of any subsequent man-in-the-middle attacks.

Resolution
To configure SSL decryption:

1. Configure the firewall to handle traffic and place it in the network

 2. Make sure the proper Certificate Authority (CA) is on the firewall
3. Configure SSL decryption rules
4. Enable SSL decryption notification page (optional)

5. Commit changes and test decryption

Steps to Configure SSL Decryption

1. Configure the Firewall to Handle Traffic and Place it in the Network

Make sure the Palo Alto Networks firewall is already configured with working interfaces (i.e., Virtual
Wire, Layer 2, or Layer 3), Zones, Security Policy, and already passing traffic.

2. Load or Generate a CA Certificate on the Palo Alto Networks Firewall

A Certificate Authority (CA) is required to decrypt traffic properly by generating SSL certificates on
the fly. Create a self-signed CA on the firewall or import a Subordinate CA (from your own PKI
infrastructure). Select Forward Trust Certificate  and then Forward Untrust Certificate  on one or
more certificates to enable the firewall to decrypt traffic.

NOTE: Because SSL certificate providers such as Entrust, Verisign, Digicert, and GoDaddy do not
sell CAs, they are not supported in SSL Decryption.

From the firewall web interface, go to Device > Certificates. Load or generate a certificate for either
inbound inspection or outbound (forward proxy) inspection.

Feedback
 

Generating a Self-Signed Certificate

Using a Self-Signed Certificate is recommended. For information on generating a Self-Signed

Certificate, please review the following Knowledge article: How to Generate a New Self-Signed SSL
Certificate.
 

Generating and Importing a Certificate from Microsoft Certificate Server

1. On the Microsoft Certificate Server for your organization, request an advanced

certificate using the certificate template “subordinate CA.” Download the cert.
2. After downloading, export the certificate from the local certificate store. In Internet
Explore (IE), access the Internet Options dialog, select the Content tab, then click
the Certificates button. The new certificate can be exported from the personal
certificates store. Select Certificate Export Wizard, export the private key, then select
the format. Enter a passphrase and a file name and location for the resulting file. The
certificate will be in a PFX format (PKCS #12).
3. To extract the certificate, use this openSSL[4] command:
openssl pkcs12 –in pfxfilename.pfx –out cert.pem –nokeys
4. To extract the key, use this openSSL command:
openssl pkcs12 –in pfxfilename.pfx –out keyfile.pem -nocerts
5. Import the cert.pem file and keyfile.pem file into the Palo Alto Networks firewall on
the Device tab > Certificates screen.
6. In the case of a High Availability (HA) Pair, also load these files into the second Palo
Alto Networks firewall, or copy the certificate and key via the High Availability widget
on the dashboard.

The "Forward Trust" and "Forward Untrust" certificates:

 

Feedback
 

NOTE: If you're using a self-signed CA, export the public CA certificate from the firewall
and install the certificate as a Trusted Root CA on each machine's browser to avoid
Untrusted Certificate error messages inside your browser. Network administrators usually
use GPO to push out this certificate to each workstation.

IMPORTANT NOTE: Never set both checkboxes "Forward Trust Certificate" and "Forward Untrust Certificate" in the same
certificate, and do not have the "Forward Untrust Certificate" deployed under a trusted certificate chain. If you do this, it will
cause the firewall to present client devices with a CA certificate they trust, even when they connect to websites or
applications that are presenting with invalid certificates to the firewall.

Below are some examples of browser errors if the self-signed CA Certificate is not trusted.

Firefox untrusted CA error:

 

Chrome untrusted CA error:

Feedback
 

Internet Explorer untrusted CA error:

 

3. Configure SSL Decryption Rules

The network administrator determines what needs to be decrypted. A few suggestions for
configuring SSL decryption rules:

Implement rules in a phased approach. Start with specific rules for decryption, and monitor
the typical number of SSL connections being decrypted by the device.

Feedback
Avoid decrypting the following URL categories, as users may consider this an invasion of
privacy:
Financial services
Health and medicine

Do not decrypt applications where the server requires client-side certificates (for identification).
You can either block or allow connections requiring client authentication via the decryption
profile feature introduced in PAN-OS 5.0.

Here is an example of an outbound rule base following suggestions for decryption:

4. Enable SSL Decryption Notification Web Page (optional)

The user can be notified that their SSL connection will be decrypted using the response page
found on the Device tab > Response Pages screen. Click Disabled, check the Enable SSL Opt-
 out Page option, and click OK.

The default SSL Opt-out page can be exported, edited via an HTML editor, and imported to provide
company-specific information:

Feedback
5. Test Outbound Decryption

To test outbound decryption:

In the outbound policy, make sure the action is set to alert for any viruses found. Also, enable
packet capture on that anti-virus security profile. Commit any changes made.
On a PC internal to the firewall, go to www.eicar.org. In the top right corner, you should see
this:

Click “Download anti-malware testfile."

In the screen that appears, scroll to the bottom.
Download the eicar test virus using HTTP. Any of the these four files will be detected.

Go to the Monitor tab > Threat log and then look for the log message that detects the eicar
file.

 
 
Click the green arrow in the column on the left to view the captured packets.


Feedback
 
Click the magnifying glass in the far left column to see the log detail.

 
 Scroll to the bottom, and look for the field “Decrypted.” The session was not decrypted:

Feedback
 
Go back to the www.eicar.org downloads page. This time use SSL enabled protocol HTTPS to
download the test virus.

 
Examine the threat logs. The virus should have been detected since the SSL connection was
decrypted. A log message that shows eicar was detected in web browsing on port 443 will be
visible.

 
 View the packet capture by clicking the green arrow. (optional)

Feedback
To the left of that log entry, click the magnifying glass. Scroll to the bottom. Under Flags, check
to see if the “Decrypted” box is checked:

 
The virus was successfully detected in an SSL-encrypted session.

  
To test the “no-decrypt” rule: 

First, determine what URLs fall into financial services, health and medicine categories, and any
categories that decryption is not enabled.  For BrightCloud, go to
http://www.brightcloud.com/testasite.aspx. For PAN-DB, use Palo Alto Networks URL Filtering -
Test A Site and enter a URL to identify the category.
Once websites are classified into categories and will not be decrypted are found, use a browser
to go to those websites using HTTPS. There should be no certificate error when going to those
sites. The web pages will be displayed properly. Traffic logs will show the sessions where
application SSL traverses port 443, as expected.

To Test Inbound Decryption:

Examine the traffic logs dated before enabling SSL for inbound decryption on the firewall. Look
at traffic targeted for the internal servers. In those logs, the application detected should be “ssl"
going over port 443.
From a machine outside the network, connect via SSL to a server in the DMZ. There will be no
certificate errors, as the connection is not being proxied—just inspected.
Examine the logs for this inbound connection. The applications will not be “ssl" but the actual
applications found inside the SSL tunnel. Click the magnifying glass icon in those log entries to
confirm decrypted connections.

Feedback
Helpful CLI Commands

To see how many existing SSL decryption sessions are going through the device, use this CLI
command:

> debug dataplane pool statistics | match proxy

Output from a PA-2050, where the first command shows 1024 available sessions, and the output
of the second command shows five SSL sessions being decrypted (1024–1019=5):

admin@test> debug dataplane pool statistics | match proxy

[18] proxy session            :    1019/1024    0x7f00723f1ee0

To see the active sessions that have been decrypted, use this CLI command:

> show session all filter ssl-decrypt yes state active

Maximum number of concurrent SSL decrypted sessions in PAN-OS 4.1, 5.0, 6.0, and 6.1 (both
directions combined):
 Hardware SSL Decrypted Session Limit
VM-100
VM-200
1,024 sessions

1,024 sessions
VM-300 1,024 sessions
PA-200 1,024 sessions
PA-500 1,024 sessions
PA-2020 1,024 sessions
PA-2050 1,024 sessions
PA-3020 7,936 sessions
PA-3050 15,360 sessions
PA-3060 15,360 sessions
PA-4020 7,936 sessions
PA-4050 23,808 sessions
PA-4060 23,808 sessions
PA-5020 15,872 sessions
PA-5050 47,616 sessions
PA-5060 90,112 sessions
PA-7000-20G-NPC 131,072 sessions
PA-7050 786,432 sessions
 

If the limit is reached, all new SSL sessions go through as undecrypted SSL. To drop any new SSL
sessions beyond the session limit of the device, use this CLI command:

> set deviceconfig setting ssl-decrypt deny-setup-failure yes

Feedback
To check if there are any sessions hitting the limit of the device, use this CLI command:

> show counter global name proxy_flow_alloc_failure

To view the SSL decryption certificate, use this CLI command:

> show system setting ssl-decrypt certificate

Certificates for Global

SSL Decryption CERT


global trusted
ssl-decryption x509 certificate
version 2
cert algorithm 4
valid 150310210236Z -- 210522210236Z
cert pki 1
subject: 172.16.77.1
issuer: 172.16.77.1
serial number(9)
00 b6 96 7e c9 99 1f a8  f7                      ...~.... .
rsa key size 2048 siglen 2048
basic constraints extension CA 1

global untrusted
ssl-decryption x509 certificate
version 2
cert algorithm 4
valid 150310210236Z -- 210522210236Z
cert pki 1
subject: 172.16.77.1
issuer: 172.16.77.1
serial number(9)
00 b6 96 7e c9 99 1f a8  f7                      ...~.... .

Feedback
rsa key size 2048 siglen 2048
basic constraints extension CA 1

To view SSL decryption settings, use this CLI command:

> show system setting ssl-decrypt setting

vsys                          : vsys1
Forward Proxy Ready          : yes
Inbound Proxy Ready          : no
Disable ssl                  : no
Disable ssl-decrypt          : no
Notify user                  : no
Proxy for URL                : no
Wait for URL                  : no
Block revoked Cert            : yes
Block timeout Cert            : no
Block unknown Cert            : no
Cert Status Query Timeout    : 5
URL Category Query Timeout    : 5
Fwd proxy server cert's key size: 0
Use Cert Cache                : yes
Verify CRL                    : no
Verify OCSP                  : no
CRL Status receive Timeout    : 5
OCSP Status receive Timeout  : 5
Block unknown Cert            : no

 
 Additional Information

For a list of resources about SSL Decryption, please refer to the following Knowledge article:
SSL Decryption Quick Reference - Resources

For more information on supported Cipher Suites for SSL Decryption, please refer to the following:

SSL Decryption Not Working Due to Unsupported Cipher Suites

Limitations and Recommendations While Implementing SSL Decryption

How to Identify Root Cause for SSL Decryption Failure Issues

Attachments

COMPANY
About Palo Alto Networks

Careers

Feedback
LEGAL NOTICES
Privacy

Terms of Use

RESOURCES
Support

Live Community

Email Preferences

Learning Center (Beacon)

Technical Documentation

a51e12a918ebc5e13df4fa789ea5f12b206b9b88618b27aae24c669a71415fa9
© 2022 Palo Alto Networks, Inc. All rights reserved.