Using Decryption To Block Threats In Encrypted Traffic


SSL/TLS review

Importance of SSL/TLS

Why Decrypt Network Traffic?

...SSL decryption on the firewall helps to prevent the introduction of malware -->in .... Data exfiltration -->out .

.create policy rules to decrypt traffic preventing malicious encrypted content from entering your network and sensitive content from leaving your network concealed as encrypted traffic. ...Palo Alto Networks firewall can decrypt SSHv2 and SSL/TLS inbound and outbound network traffic.

SSL/TLS Operation Review

Firewall Decryption Types

..firewall provides 3 types of Decryption policy rules:

  • SSL Forward Proxy to control outbound SSL
  • SSL Inbound Inspection to control inbound SSL traffic
  • SSH Proxy to control tunnelled SSH

traffic. SSL decryption (both forward proxy and inbound inspection) requires certificates to establish the

..SSH decryption does not require certificates.

>>Certificate management

Public Key Infrastructure (PKI)

Root CA-- Certifies Intermediate CA -- Certifies Device

..Palo Alto Networks firewalls support X.509 format certificates. ..public key infrastructure solves the problem of verifying the identity of a public key owner.  ..PKI certificate authority (or CA) provides services that authenticate devices, services, and people by issuing the certificates that confirm their identity and public key.  ..trusted CAs can be updated by a user or by a device software update.

Certificate Chain of Trust

Root CA-- Trust Intermediate CA -- Trust Device

Certificate Management in the Web Interface

Device  > Certificate Management > Certificates

Certificate Hierarchy

Certificate Creation Overview

Generate a Self-Signed Certificate

Device > Certificate Management > Certificates > Add

Import a CA Certificate

Certificate Signing Request (CSR)

Generate a CSR for the CA Signed Certificate

Certificate Checking and Revocation

Configuring SSL Decryption Certificate Revocation Checking

Device > Setup > Session > Certificate Revocation Checking

>>SSL/TLS decryption

SSL Forward Proxy Review

..The SSL client and the firewall must have access to a common CA for the client to validate the identity of the firewall.

Two SSL tunnels have been established: one between the client and the firewall, and another between the firewall and the server. The firewall acts as an SSL proxy between the client and server and can decrypt and inspect data flowing between the client and server.

Forward Trust and Forward Untrust Certificates a trusted third party, the firewall uses its forward trust or forward untrust certificates to inform the SSL client whether the firewall has verified the validity of the web server’s certificate.

Configure a Forward Trust Certificate

Device > Certificate Management > Certificates

Configure a Forward Untrust Certificate

Device> Certificate Management > Certificates

Renew an SSL Forward Untrust Certificate

Device > Certificate Management > Certificates

Configure SSL Forward Proxy Decryption Policy

Policies > Decryption

Not all traffic should be decrypted. Some traffic cannot legally be decrypted, depending on local laws and regulations concerning health records, financial records, and other privacy concerns.

Forward Proxy Decryption Profile

Objects > Decryption > Decryption Profile

Create the Corresponding Security Policy Rules

Policies > Security

SSL Inbound Inspection Review

.. deploy the certificates that are used by SSL to confirm an endpoint identity. The SSL server and client must share a CA that is common to them both for the client to be able to validate the server identity...  ..import the private key and certificate of the server into the firewall.

Import Server Certificate and Private Key

Device > Certificate Management > Certificates > Import

Configure an SSL Inbound Inspection Policy

Policies > Decryption > Add

The firewall enforces the Decryption Profile settings on traffic matched to the Decryption policy rule... 

Ensure that you also create a Security policy rule that allows the encrypted traffic to pass through the firewall.

Configure an Inbound Inspection Decryption Profile

Objects > Decryption > Decryption Profile > Add

Decryption Profile enables the firewall to perform checks on decrypted traffic and traffic that you have excluded from decryption. You should block sessions using unsupported versions or cipher suites.

Decryption Exclusions

Device > Certificate Management > SSL Decryption Exclusion

..Decryption exclusions prevent the firewall from attempting to decrypt traffic to specific websites. 

No Decryption

Policies > Decryption

and Objects > Decryption Profile > Add

..use for to block sessions with expired or untrusted certificates...

SSL Decryption Troubleshooting

Monitor > Logs > Decryption

 and ACC > SSL Activity

Troubleshoot SSL Session Terminations

Monitor > Logs > Traffic

Session End Reason  

decrypt cert validation :
decrypt unsupport param : 
decrypt error : 

Decryption in the Traffic Log

Monitor > Logs > Traffic

>>SSH decryption

SSH Decryption

in encrypted SSH tunnels. SSH tunnels are a common way to subvert firewalls and breach security policies. SSH does not require digital certificates, as SSL does. The firewall can decrypt, inspect, and re encrypt inbound and outbound SSHv2 connections passing through the firewall. With SSH Proxy, separate SSH sessions are created between the client and the firewall, and the firewall and the server.

SSH Traffic and the Security Policy

Policies> Security > Add

>> Other decryption methods and features

Reasons to Not Configure SSL Decryption

Decryption is not a good choice when it is not allowed by local laws or company policy governing personal, financial, medical, government, and military information.

Decryption Port Mirroring

The decryption port mirroring feature enables a firewall to forward packet captures of decrypted traffic to a traffic collection tool, such as NetWitness or Solera, for archiving and analysis. ..for organizations that require comprehensive data capture for forensic and historical purposes or to enhance data loss prevention functionality.

Network Packet Broker

OS 10.1 the Network Packet Broker feature replaces the Decryption Broker

Hardware Security Modules (HSMs)

An HSM is a physical device that generates, stores, and manages digital keys. It provides logical and physical

Hardware Security Modules (HSMs)

Which two types of activities does SSL/TLS decryption by the firewall help to block? (Choose two.)
malware introduction
denial of service attacks
sensitive data exfiltration
protocol based attacks
True or false? If OCSP and CRL are configured on a firewall, CRL is consulted first.
Which type of firewall decryption requires the administrator to import a server certificate and a private
key into the firewall?
SSH decryption
SSH tunnel decryption
SSL Forward Proxy decryption
SSL Inbound Inspection decryption
True or false? The SSL forward untrust certificate should not be trusted by the client but should still be a
CA certificate.


1 Which feature can be configured to block sessions that the firewall cannot decrypt?

a. Decryption profile in security policy NO

b. Decryption profile in security profile <--NO

c. Decryption profile in decryption policy

d. Decryption profile in PBF

2 What is default setting for "Action" in a decryption policy rule?

a. Any NO

b. None

c. Decrypt <--NO

d. No-decrypt

3. Which type of Next Generation Firewall decryption inspects SSL traffic between an internal host and an external web server?

a. SSL Forward Proxy

b. SSH

c. SSL Inbound Inspection <--NO

d. SSL Outbound Inspection NO

4. When SSL encrypted traffic first arrives at the Next Generation Firewall, which technology initially identifies the application as web-browsing?

a. Encryption-ID

b. Content-ID

c. App-ID

d. User-ID

5. Which type of Next Generation Firewall decryption inspects SSL traffic coming from external users to internal servers?

a. SSL Forward Proxy

b. SSL Inbound Inspection

c. SSL Outbound Inspection

d. SSH

 6 True . In the Next Generation Firewall, even if the Decryption policy rule action is “no-decrypt,” the Decryption Profile attached to the rule can still be configured to block sessions with expired or untrusted certificates.

7. Which two types of activities does SSL/TLS decryption on the firewall help to block? 

If you choose an incorrect choice your question score will be deducted

a. denial-or-service attacks NO

b. malware introduction YES

c. protocol-based attacks

d. sensitive data exfiltration <--

8. false? If OCSP and CRL are configured on a firewall, CRL is consulted first.

9. Which type of firewall decryption requires the administrator to import a server certificate and a private key into the firewall?

a. SSL Inbound Inspection Decryption 

b. SSH Decryption

c. SSH Tunnel Decryption

d. SSL Forward Proxy Decryption

10. True The SSL forward untrusted certificate should not be trusted by the client but should still be a CA certificate.

11. True The firewall still can check for expired or untrusted certificates even if the SSL traffic is not being decrypted.