Before digging deep into Palo alto SSL Decryption, let’s first understand what is Decryption?
Palo Alto firewalls can be decrypt and inspect traffic to gain visibility of threats and to control protocols, certificate verification and failure handling. Decryption can apply policies on encrypted traffic so that the firewall handles encrypted traffic according to the customer’s configured security policies. Decryption is carried out for traffic content that entering into network and encryption is performed for content that leaving network. Below are different ways that Palo Alto can help decrypt traffic.
- SSH Proxy
- SSL Inbound Inspection
- SSL Forward Proxy (SSL Decryption)
SSH Proxy is a way that the firewall can decrypt and inspect tunneled SSH traffic passing through the firewall. It does not require certificates and the key used to decrypt SSH sessions is generated automatically on the firewall during boot up. With SSH decryption enabled, the firewall decrypts SSH traffic based on your decryption policy. Traffic is re-encrypted as it exits the firewall.
Configuration of SSH Proxy
SSL Inbound Inspection
SSL Inbound Inspection is required to inspect the communication of a web server protected by the firewall, to decrypt the traffic using the internal web servers SSL Certificate. With an SSL Inbound Inspection decryption policy configured, the firewall decrypts all SSL traffic. Firewall blocks, restricts, or allows the traffic based on the decryption profile applied to the traffic, including any configured Antivirus, Vulnerability Protection, Anti-Spyware, URL-Filtering, and File Blocking profiles.
Configuration of SSL Inbound Inspection
Related – Palo Alto Firewall Architecture
SSL Forward Proxy (Palo Alto SSL Decryption)
SSL Forward Proxy (SSL Decryption) is an advance feature of firewall to inspect traffic inside the SSL encrypted packet. SSL Decryption is the ability to view inside of Secure HTTP traffic (SSL) as it passes via the Palo Alto Networks firewall:
- Without SSL Decryption: Firewall has no access to the information inside of an encrypted SSL packet.
- With SSL Decryption: Traffic generated from source own network, there will be visibility into the SSL packet to find hidden applications and threats inside SSL traffic.
Configuration of SSL Forward Proxy
TLSv1.3 is the latest version of the TLS (Transport Layer Security) protocol, which is the improved version of SSL.
- View decrypted traffic sessions.
- View SSL Traffic sessions that are not decrypted in session logs.
- View the log for a particular session in the decryption log by applying filter on the Session ID.
- View all TLS and SSH traffic, filter the traffic logs to view both decrypted and undecrypted TLS and SSH traffic.
SSL Decryption refers to view inside of Secure HTTP traffic (SSL) as it passes via the Palo Alto Networks firewall. Before SSL Decryption, Palo Alto firewall would have no access to the information inside an encrypted SSL packet. Palo Alto firewall decrypts the SSL traffic to allow Application Control features such as the URL Filter, Virus Scanner, or File Content policy to scan the traffic. It dynamically creates a certificate and signs it with the SSL Inspection root certificate.