Decrypon Best Pracces
Version 10.1
[Link]
� Contact Informaon
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
[Link]/company/[Link]
About the Documentaon
• For the most recent version of this guide or for access to related documentaon, visit the
Technical Documentaon portal [Link].
• To search for a specific topic, go to our search page [Link]/[Link].
• Have feedback or quesons for us? Leave a comment on any page in the portal, or write to us
at documentaon@[Link].
Copyright
Palo Alto Networks, Inc.
[Link]
©2021 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto
Networks. A list of our trademarks can be found at [Link]/company/
[Link]. All other marks menoned herein may be trademarks of their respecve
companies.
Last Revised
February 5, 2021
Decrypon Best Pracces Version Version 10.1 2 ©2021 Palo Alto Networks, Inc.
�Table of Contents
Decrypon Best Pracces................................................................................5
Plan Your SSL Decrypon Best Pracce Deployment........................................................ 6
Deploy SSL Decrypon Using Best Pracces.....................................................................11
Follow Post-Deployment SSL Decrypon Best Pracces................................................14
Decrypon Best Pracces Version Version 10.1 3 ©2021 Palo Alto Networks, Inc.
�Table of Contents
Decrypon Best Pracces Version Version 10.1 4 ©2021 Palo Alto Networks, Inc.
�Decrypon Best Pracces
You can’t protect your network against threats you can’t see and inspect. Gartner
predicts that in 2020, more than 70 percent of new malware campaigns will use
various forms of encrypon. Google’s Transparency Report shows that no maer how
you analyze Google web traffic, in most cases, more than 90 percent of it is encrypted.
Decrypt that traffic to protect your network against hidden threats.
This document is a streamlined checklist of pre-deployment, deployment, and post-
deployment best pracces that you can follow to implement decrypon. Each secon
includes links to detailed informaon in the PAN-OS Admin Guide, including how to
configure Decrypon policy rules and profiles.
> Plan Your SSL Decrypon Best Pracce Deployment
> Deploy SSL Decrypon Using Best Pracces
> Follow Post-Deployment SSL Decrypon Best Pracces
5
�Decrypon Best Pracces
Plan Your SSL Decrypon Best Pracce Deployment
Prepare to deploy decrypon by developing a decrypon strategy and roll-out plan. Turning on
decrypon may change the way users interact with some applicaons and websites, so planning,
tesng, and user educaon are crical to a successful deployment.
STEP 1 | Set goals.
Plan to decrypt as much traffic that is not private or sensive as your firewall resources
permit. This reduces the aack surface by exposing and prevenng encrypted threats.
Understand local laws and regulaons about the traffic you can legally decrypt and user
noficaon requirements.
Migrate from port-based to applicaon-based Security policy rules before you create and
deploy Decrypon policy rules. If you create Decrypon rules based on port-based Security
policy and then migrate to applicaon-based Security policy, the change could cause the
Decrypon rules to block traffic that you intend to allow because Security policy rules are
likely to use applicaon default ports to prevent traffic from using non-standard ports.
Migrang to App-ID based rules before deploying decrypon ensures that when you test
your decrypon deployment, you’ll discover Security policy misconfiguraons and fix them
before rolling decrypon out to the general user populaon.
Decrypon Best Pracces Version Version 10.1 6 ©2021 Palo Alto Networks, Inc.
�Decrypon Best Pracces
STEP 2 | Work with and educate stakeholders such as legal, finance, HR, execuves, security, and IT/
support to develop a decrypon deployment strategy.
Get the required approvals to decrypt traffic to secure the enterprise.
Idenfy and priorize the traffic to decrypt:
• Decide which applicaons to decrypt (sanconed, unsanconed). Don’t allow encrypted
unsanconed applicaons.
• Decide which devices to decrypt (corporate, BYOD, mobile, etc.).
Enterprises don’t control BYOD devices. If you allow BYOD devices on your
network, decrypt their traffic and subject it to the same Security policy that
you apply to other network traffic. To do this, redirect BYOD users through
an Authencaon Portal, instruct them how to download and install the CA
cerficate, and clearly nofy users that their traffic will be decrypted. Educate
BYOD users about the process and include it in your company’s privacy and
computer usage policy.
• Decide if you want to use the same decrypon policy for different groups, such as
different employee groups, contractors, partners, and guests.
Idenfy traffic you can’t decrypt:
• Traffic that breaks decrypon for technical reasons such as cerficate pinning,
unsupported ciphers, or mutual authencaon.
• Traffic that you choose not to decrypt such as financial, health, government, and other
sensive categories, including users and groups such as execuves.
• Fully understand the traffic you except from decrypon. You don’t have visibility into
encrypted traffic and the firewall can’t apply threat prevenon profiles to encrypted
traffic.
Prepare updated legal and HR computer usage policies to distribute to all employees,
contractors, partners, guests, and any other network users so that when you roll out
decrypon, users understand their data can be decrypted and scanned for threats.
Decide how to handle cerficate verificaon. Your business model may require tradeoffs
between security and the user experience. Understanding how you want to handle
cerficate verificaon helps determine how you configure SSL Forward Proxy Decrypon
profiles.
Idenfy the traffic you want to log. Be aware of local legal and regulatory differences, and
how they affect which traffic you can log and where you can store logs.
Place firewalls where they can see all of the network traffic so that no encrypted traffic
inadvertently gains access to your network because it bypasses the firewall.
STEP 3 | Develop a plan for rolling out your public key infrastructure (PKI).
If you have an exisng PKI, generate the SSL Forward Trust CA cerficate from your
Enterprise Root CA as a subordinate cerficate. This makes deployment easier because
Decrypon Best Pracces Version Version 10.1 7 ©2021 Palo Alto Networks, Inc.
�Decrypon Best Pracces
network devices already trust the Enterprise Root CA, so you won’t run into cerficate
issues. If you don’t have an Enterprise Root CA, consider geng one.
Alternavely, generate a self-signed Root CA cerficate on the firewall and create a
subordinate Forward Trust CA cerficate on that firewall to install on network devices. Self-
signed cerficates are best for small companies that don’t have an Enterprise Root CA and
for proof-of-concept (POC) trials.
Similarly to BYOD devices, enterprises don’t control guest devices. If you allow guest
devices on your network, decrypt their traffic and subject it to the same Security
policy that you apply to other network traffic. To do this, redirect guest users
through an Authencaon Portal, instruct them how to download and install the CA
cerficate, and clearly nofy users that their traffic will be decrypted. Include the
process in your company’s privacy and computer usage policy.
Generate separate CA cerficates for Forward Trust and Forward Untrust. Do not use
the same PKI subordinate CA for both cerficates and do not sign the Forward Untrust
cerficate with the Trusted Root CA! The Forward Untrust cerficate warns users that the
cerficate signing the server is not legimate and that they should not proceed to the site. If
the Trusted Root CA signs the Untrust cerficate, then clients trust cerficates that should
be untrusted because clients trust the Root CA.
Generate a separate subordinate Forward Trust CA cerficate for each firewall. Using
separate subordinate CAs enables you to revoke a cerficate when you decommission
a device (or device pair) without affecng the rest of the deployment and reduces the
impact if you need to revoke a cerficate. Separate CA cerficates help technical support
troubleshoot user issues because the cerficate error message includes informaon about
the firewall the traffic traversed. Although using one Forward Trust subordinate CA on all
firewalls is easier to deploy, using a separate cerficate on each firewall provides the best
security.
If you need addional security for your private keys, consider storing them in an HSM.
STEP 4 | Take a baseline measurement of firewall performance to understand resource consumpon
and available firewall resources so that you can compare performance aer you deploy
decrypon and esmate the size of the firewall deployment required to support the amount
of traffic you want to decrypt.
Work with your Palo Alto Networks SE/CE to size the firewall deployment and avoid sizing
mistakes.
Note the currently available firewall resources. In general, the ghter your security, the
more resources decrypon consumes. Factors that affect how much traffic you can decrypt
include:
• The amount of SSL traffic you want to decrypt.
• TLS protocol version.
• Key size.
• Key exchange algorithm. Perfect forward secrecy (PFS) ephemeral algorithms such
as DHE and ECDHE consume more resources than RSA, but provide greater security
because the firewall generates a new cipher key for each session. If an aacker
Decrypon Best Pracces Version Version 10.1 8 ©2021 Palo Alto Networks, Inc.
�Decrypon Best Pracces
compromises a session key, PFS prevents the aacker from using it to decrypt other
sessions between the same client and server, while RSA does not.
• Cerficate authencaon. RSA cerficate authencaon (this is not the same as the
RSA key exchange algorithm) consumes fewer CPU cycles than ECDSA cerficate
authencaon but ECDSA provides the highest level of security.
• Encrypon algorithm. The key exchange algorithm determines whether the encrypon
algorithm is PFS or RSA.
• The firewall model and resources. Newer firewall models have more resources than older
models.
Transacon sizes affect performance. Measure the average transacon size of all traffic,
then measure the average transacon size of traffic on port 443 (default port for HTTPS
encrypted traffic) to understand the proporon of encrypted traffic on the firewall in
relaon to your total traffic and the average transacon sizes.
The combinaon of these factors determines how decrypon consumes firewall processing
resources. If firewall resources are an issue, use stronger decrypon for higher-priority and
higher-risk traffic and use less processor-intensive decrypon to decrypt and inspect lower-
priority traffic unl you can increase the available resources.
Size the firewall to include headroom for growth in the amount of traffic to decrypt because
more traffic is encrypted every day.
STEP 5 | Plan a staged, priorized deployment.
Idenfy early adopters to champion decrypon and get department managers on-board
with the plan.
Set up POCs to test the deployment strategy before you roll it out to the general user
populaon. Measure the way the decrypon POC deployment affects firewall CPU and
memory ulizaon to help understand if firewall sizing is correct. POCs can also reveal
applicaons that break decrypon technically.
• Educate POC parcipants on the changes and how to contact technical support.
• Set up a technical support POC for the decrypon POCs so that support has the
opportunity to develop the best ways to support the rollout.
• Phase in decrypon. Plan to decrypt the riskiest traffic first (URL Categories most
likely to harbor malicious traffic, such as gaming or high-risk) and then decrypt more as
you gain experience. Alternavely, decrypt the URL Categories that don’t affect your
business first (if something goes wrong, it won’t affect business), for example, news
feeds. In both cases, decrypt a few URL Categories, listen to user feedback, run reports
and check Decrypon logs to ensure that decrypon is working as expected, and then
gradually decrypt a few more URL Categories, etc. Plan to make decrypon exclusions to
exclude sites from decrypon if you can’t decrypt them for technical reasons or because
you choose not to decrypt them.
• Gauge the success of the POCs and fine-tune deployment pracces.
Educate the user populaon before the general rollout. POCs help idenfy the most
important points to communicate.
Distribute updated legal and HR computer usage policies to all employees, contractors,
partners, guests, and any other network users. Ensure that everyone understands their data
Decrypon Best Pracces Version Version 10.1 9 ©2021 Palo Alto Networks, Inc.
�Decrypon Best Pracces
can be decrypted and scanned for threats as you roll out decrypon to each department or
group.
Create realisc schedules that allow me to evaluate each stage of the rollout.
Decrypon Best Pracces Version Version 10.1 10 ©2021 Palo Alto Networks, Inc.
�Decrypon Best Pracces
Deploy SSL Decrypon Using Best Pracces
STEP 1 | Generate and distribute keys and cerficates for Decrypon policies.
If you have an Enterprise PKI, generate the Forward Trust CA cerficate for forward proxy
traffic from your Enterprise Root CA. Otherwise, generate a self-signed Root CA cerficate
on the firewall, create a subordinate CA on that firewall, and then distribute the self-signed
cerficate to all client systems. Self-signed cerficates are intended for lab tesng, small
deployments, and POCs.
Generate a unique subordinate Forward Trust CA for each firewall (or one Forward Trust CA
for all firewall, depending on your planning—one cerficate is easier to deploy, but separate
cerficates provide the best security and other benefits). Different PKI plaorms have
different features for scaling cerficate management.
If you do not use an Enterprise CA, import the Forward Trust CA cerficate into the client
systems’ trust CA storage.
Do not import the Forward Untrust CA cerficate into the CA trust storage on client
systems or the untrust cerficate won’t act as a trigger for untrusted sites. (However, if the
firewall self-signed Root CA is not installed as a trusted issuer on client systems, you can use
a self-signed Forward Untrust cerficate.)
Use an automated method to distribute the Forward Trust cerficates to connected devices,
such as the Palo Alto Networks GlobalProtect Portal, Microso AD Cerficate Services
(using Group Policy Objects), commercial tools, or open source tools.
If you generate the cerficate from your Enterprise Root CA, import the cerficate on the
firewall.
Back up the private key for the firewall’s Forward Trust CA cerficate (not the firewall’s
master key) in a secure repository so that if an issue occurs, you can sll access the Forward
Trust CA cerficate.
If you generate cerficates and private keys from your Enterprise Root CA, block the export
of private keys. (You can install them on new firewalls and Panoramas from your enterprise
CA, so you don’t need to export them from PAN-OS.)
If your plan calls for using an HSM, store the private keys on the HSM.
STEP 2 | Configure Decrypon profiles to control protocols, cerficate verificaon, and failure
handling.
SSL Forward Proxy Decrypon profiles control server cerficate verificaon, session modes,
and failure checks for outbound traffic. Block sessions with expired cerficates, untrusted
issuers, unsupported versions, and unsupported cipher suites. Block sessions with client
authencaon unless an important applicaon requires it, in which case you should create a
separate Decrypon profile that allows client authencaon and apply it only to traffic that
requires client authencaon.
SSL Inbound Inspecon Decrypon profiles control session modes and failure checks for
inbound traffic. Block sessions with unsupported versions and unsupported cipher suites.
SSL Protocol Sengs control cipher suite elements: protocol versions, key exchange
algorithms, encrypon algorithms, and authencaon algorithms for SSL Forward Proxy
and SSL Inbound Inspecon traffic. Use the strongest ciphers that you can. For Forward
Decrypon Best Pracces Version Version 10.1 11 ©2021 Palo Alto Networks, Inc.
�Decrypon Best Pracces
Proxy, set the protocol Min Version to TLSv1.2 and the Max Version to Max to block weak
protocols. For SSL Inbound Inspecon, create separate profiles with protocol sengs that
match the capabilies of the server(s) whose inbound traffic you are inspecng.
Use the strongest cipher suite that you can. Create separate Decrypon policies
and profiles to maximize security. If legacy sites that you need for business purposes
only support weaker ciphers, create a separate Decrypon profile to allow the that
traffic and apply it in a Decrypon policy only to the necessary sites. Use the same
technique to fine tune security vs. performance for different URL categories.
Many mobile applicaons use pinned cerficates. Because TLSv1.3 encrypts
cerficate informaon, the firewall can’t automacally add these mobile
applicaons to the SSL Decrypon Exclusion List. For these applicaons, ensure
that the Decrypon profile Max Version is set to TLSv1.2 or apply a No Decrypon
policy to the traffic.
No Decrypon profiles control server cerficate verificaon for traffic you choose not to
decrypt. Block sessions with expired cerficates and untrusted issuers.
Do not apply a No Decrypon profile to TLSv1.3 traffic. The cerficate informaon
is encrypted, so the firewall cannot block sessions based on cerficate informaon.
For SSL Forward Proxy and No Decrypon traffic, configure both Cerficate Revocaon
List (CRL) and Online Cerficate Status Revocaon (OCSP) cerficate revocaon checks to
verify that site cerficates have not been revoked.
SSH Proxy profiles control session modes and failure checks for SSH tunneled traffic. Block
sessions with unsupported versions and unsupported algorithms.
The best pracce Decrypon profile sengs for the data center and for the perimeter
(internet gateway) use cases differ slightly from the general best pracce sengs.
STEP 3 | Configure Decrypon policy rules to define the traffic to decrypt and to make policy-based
excepons for traffic you choose not to decrypt.
Create policy rules to except specific desnaon IP addresses (for example, finance servers),
source users and groups (for example, execuves or HR personnel), source devices, and
applicaon ports that you choose not to decrypt. Place these rules at the top of the
Decrypon rulebase, before rules that decrypt traffic. For all traffic except TLSv1.3 traffic,
aach a No Decrypon profile to them to apply SSL server cerficate verificaon controls
to the encrypted traffic. This prevents inadvertently decrypng traffic that you don’t want to
decrypt.
Use URL Categories, Custom URL Categories, and External Dynamic Lists (EDLs) to specify
URLs not to decrypt, such as financial-services, health-and-medicine, government, and any
other categories you don’t want to decrypt for business, legal, or regulatory reasons. Use an
Decrypon Best Pracces Version Version 10.1 12 ©2021 Palo Alto Networks, Inc.
�Decrypon Best Pracces
EDL in environments with dynamically changing IP addresses (for example, Office 365) or
frequent membership changes to update without having to commit.
Create an EDL or Custom URL Category that contains all the categories you choose not to
decrypt so that you only need one Decrypon policy rule for them.
Place these rules above rules that decrypt traffic in the Decrypon rulebase.
Configure decrypon logging and log forwarding.
If you use Decrypon mirroring to copy and send decrypted traffic to a traffic collecon
tool, be aware of local privacy regulaons that may prohibit mirroring or control the traffic
you can mirror.
Create policy to decrypt the rest of the traffic by configuring SSL Forward Proxy, SSL
Inbound Inspecon, and SSH Proxy rules. Always decrypt the online-storage-and-backup,
web-based-email, web-hosng, personal-sites-and-blogs, content-delivery-networks, and
high-risk URL categories. Limit SSH Proxy to administrators who manage network devices,
log all SSH traffic, and configure Mul-Factor Authencaon to prevent unauthorized SSH
access.
STEP 4 | Add sites to the SSL Decrypon Exclusion list (Device > Cerficate Management > SSL
Decrypon Exclusion) if they break decrypon technically during POC tesng and are not
already on the exclusion list. (Decrypng sites that block decrypon technically results in
blocking that traffic.)
STEP 5 | In Security policy, block Quick UDP Internet Connecons (QUIC) protocol.
Chrome and some other browsers establish sessions using QUIC instead of TLS, but QUIC
uses proprietary encrypon that the firewall can’t decrypt, so potenally dangerous traffic may
enter the network as encrypted traffic. Create two rules, one to block the QUIC applicaon on
standard ports and one to block UDP ports 80 and 443. Blocking QUIC forces the browser to
use TLS.
STEP 6 | Forward decrypted traffic to WildFire to inspect it for malware.
STEP 7 | Roll out decrypon slowly.
Decrypt a few URL Categories, review user feedback, and run reports to ensure that
decrypon works as expected. Gradually decrypt more URL Categories unl you reach your
goal. Start with the highest priority traffic (URL categories most likely to harbor malicious
traffic, such as gaming), and decrypt more as you learn from experience and refine the process.
A more conservave alternave is to decrypt URL Categories that don’t affect your business
first, for example, news feeds.
Decrypon Best Pracces Version Version 10.1 13 ©2021 Palo Alto Networks, Inc.
�Decrypon Best Pracces
Follow Post-Deployment SSL Decrypon Best Pracces
Aer you deploy decrypon, ensure that everything is working as expected and take steps to
ensure that it keeps working as expected.
STEP 1 | Verify that decrypon works as expected.
STEP 2 | Measure firewall performance to ensure that it’s within acceptable norms and so that you
understand the effect of decrypon on performance.
If you want to decrypt more traffic than firewall resources support, scale up so that you have
enough resources to decrypt all of the traffic you want to decrypt and secure your network.
STEP 3 | Educate new employees as you hire them so that they understand your decrypon policy and
won’t be surprised if they can’t reach a parcular site because it uses weak cipher suites.
STEP 4 | Periodically review and update Decrypon policies and profiles.
STEP 5 | Use decrypon troubleshoong tools such as the Applicaon Command Center’s SSL
Acvity widgets and the Decrypon log (Monitor > Logs > Decrypon) to monitor
decrypon traffic and solve decrypon issues.
Decrypon troubleshoong workflow examples show you how to use the tools to invesgate
issues.
STEP 6 | Use Palo Alto Networks documentaon and other resources to learn more about Decrypon
and to look up informaon:
• The PAN-OS Administrator’s Guide provides detailed informaon about Palo Alto Networks
next-generaon firewalls.
• Palo Alto Networks Live community has a Decrypon Resource List of arcles about
decrypon configuraon, setup, and administraon.
• To find missing intermediate cerficates, visit SSL Labs (Qualys).
• To find out which cipher suites a server supports, visit Qualys SSL Labs server SSL test page.
• To check up-to-date stascs on the percentages of different ciphers and protocols in use
on the 150,000 most popular sites in the world so you can see trends and understand how
widespread worldwide support is for more secure ciphers and protocols, visit Qualys SSL
Labs SSL Pulse page.
Decrypon Best Pracces Version Version 10.1 14 ©2021 Palo Alto Networks, Inc.
