Time
54 minutes
Difficulty
Beginner

Video Description

This video is designed to help you understand and configure SSL Decryption on PAN-OS 6.1. We'll be covering the following topics:

  • What is SSL Decryption?
  • Understanding Inbound and Outbound SSL Decryption (SSL Forward Proxy)
  • Ensuring the Proper Certificate Authority on the Firewall
  • Configuring SSL Decryption Rules
  • Enabling SSL Decryption Notification Page (optional)
  • Committing Changes and Testing Decryption

Video Transcription

00:07
thistles Joe Deli often follow. Also networks Community Team Bringing You Apollo Alter Networks of Video Tutorial in today's video tutorial will be talking about how to get in figure SSL decryption. This video is designed to help you better understand and configure SSL decryption on Pan Os version 6.1.
00:27
We will be covering the following topics in this SSL decryption video tutorial.
00:32
Number one is what is SSL decryption number to understanding the two types of decryption inbound SSL and outbound as sis L. A description, also known as SSL forward proxy number three. To ensure the proper certificate, authority is installed on the firewall
00:49
and export the certificate Authority to install on client machines
00:54
number four. Configuring the SSL decryption Rules number five to enable SSL decryption notification page as an optional component. And lastly, to commit the changes and to test the decryption,
01:07
we'll start off of what is SSL decryption SSL, which is here sockets Layer is a security protocol that encrypts the data had to help keep data secure while on the Internet. SSL certificates have a key pair of public and a private key. These keys work together to establish an encrypted Connection
01:25
Panel s has the ability to decrypt and inspect SSL connections going through the firewall,
01:30
both inbound and outbound. SSL connections can be decrypted and inspected.
01:36
SSL decryption can occur on interfaces in a virtual wire or layer three mode.
01:42
The decryption rule bases used to configure which traffic to decrypt in particular decryption can be based upon your L categories as well as source, user and source, target or destination addresses. Once traffic is decrypted,
01:59
total applications can be detected and controlled
02:02
and the decrypted data can be inspected for threats. You earl filtering, file blocking and or data filtering. Please note that the decrypted traffic has never sent off of the device number twos. To understand the two types of decryption
02:20
inbound SSL decryption in this case, inbound traffic would be destined to an internal Web server or device. In order to configure this properly, the administrator imports a copy of the protected servers certificate and key. Once the SSL server certificate is loaded onto the firewall
02:38
and an SSL decryption policy is configured for the invalid traffic, the device will be able to decrypt and read the traffic as long as it forwards it on.
02:46
No changes will be made to the packet data and the secure channel will be built from the client system to the internal server. The firewall will be able to detect malicious content and control applications running over this secure channel.
03:01
Outbound SSL decryption is the second type of decryption, also known as SSL.
03:07
Forward proxy.
03:08
In this case, a firewall proxies the outbound SSL connections. It intercepts the outbound SSL requests and generates a certificate on the fly.
03:19
In this case of firewall proxies out balance SSL connections, it intercepts the SSL requests and generates a certificate in real time for the site that the user wishes to visit.
03:31
The validity date on the P A generated certificate is taken from the validity date on the rial server certificate when looking at the certificate. Information. The issuing authority of the Pollo Auto generated certificate is Apollo. Also Networks device if the
03:47
firewall certificate is not part of an existing hierarchy
03:52
or it is not added to a client's Web browser cache than the client will receive a warning message when it is browsing to a secure site. If the rial server certificate has been issued by an authority not trusted by the Pollo also networks firewall.
04:08
Then the decryption certificate will be issued using a second untrusted. See a key.
04:13
This is to ensure that the user will be warned that there is a subsequent man in the middle attacks occurring.
04:20
The third item is to ensure that the proper should difficult authorities on the firewall and export the certificate authority to install on the client machines, loading or generating a C. A certificate on the Pollo Alter Networks firewall was needed because a certificate authority A C A is required to decrypt traffic properly
04:41
by generating SSL certificates on the fly,
04:45
either a self signed certificate authority needs to be created on the firewall or sporting at sea. A from your own P K I infrastructure needs to be imported and then the forward trust certificate and forward on trust and certificate options need to be selected on one or more certificates
05:04
before the firewall is able to decrypt traffic.
05:09
Note. Because the SSL certificate providers like interest very sign digits, ERT and Go Daddy do not sell certificates. Authorities. They are not supported for the use in SSL decryption. Now let's look inside the gooey for the steps to generate a self signed certificate
05:28
from the fire. All gooey.
05:29
Please go to device
05:30
certificates management and then certificates inside of here underneath device certificates. We need to generate a new certificate inside of the certificate name. It can be anything that you want, but I'm going to choose to use SSL
05:47
decrypt
05:49
as the name
05:51
and for the common name I'm choosing the firewalls trusted internal i P address which faces the client machines which is 1 72 the 16.77 don one
06:04
for the signed by. I'm going to choose to make this a certificate authority when a cheque certificate authority because the firewall itself is going to be generating certificates in real time. So this will actually serve two purposes. It will be an SSL certificate signed by the firewall itself
06:23
as well as a certificate authority.
06:26
If you wanted this certificate to be good for more than one year inside of the cryptographic settings, you can choose, let's say, two years inside of here, you could make it 730 days to make it for two years if you needed to put any additional certificate attributes. This is where you could put it down here.
06:45
Otherwise, just click. Generate to make a valid certificate and certificate authority.
06:49
Okay,
06:50
it being successfully generated.
06:54
Notice how it says valid
06:56
Quick on the certificate again
06:59
inside of here. This is where we need to at a minimum having a forward trust certificate and I'm choosing to have forward untrusted certificate being the same certificate, but they can be separate certificates. If you need be
07:15
showing the usage here, you'll notice how it does say forward trust, certificate and untrusting. This signifies that this will be used for the SSL decryption. Please note. If self signed certificate authority is used,
07:28
the public see a certificate will need to be exported from the firewall and installed as a trusted root. See a on each of the machines browser to avoid
07:36
untrusted certificate air messages inside of your browser. Normally, network administrators will go through and use GPO to push out the certificate Teach workstation, but I will show you a manual way. Second note here,
07:50
when it comes to using the forward untrusted certificate, some ad men's choose to have a separate certificate just for this, as I stated before,
07:59
as long as you only have one forward trust certificate and one forward untrusting certificate marked. Then you'll be okay with keeping them separate to manually export the public. See a certificate. Let's go back inside the certificate section that we just were.
08:15
Make sure you check the check box next to the SL decrypt certificate
08:20
and at the bottom of the screen. Select export. When the export certificates screen shows up, make sure the export private key is not checked.
08:30
We can keep. The format is based 64 encoded certificate PM and hit OK
08:35
because you do not export the private key. There's no need to enter a password. It will download a copy of the certain SSL decrypt Sieroty file.
08:46
Once we have that file would need to export it off of the machine you're on and imported to the client machine. I'll be showing you how to do this on Internet Explorer or chrome. In order to get the exported certificate to the client machine, I use Google drive,
09:03
but to do this still, all the machines in your network one by one would be too time consuming
09:07
again. We recommend that you use GPO to push out this exported certificate to all of your client machines to allow SSL decryption to work properly on all new machines.
09:20
I have placed the SSL certificate
09:22
and see a certificate
09:24
on the Google drive here so I can access it from my client machine here next.
09:31
I'm now on my client machine here and I see the certificate. See a certificate here. I'm going to download it.
09:39
Once downloaded, I'm going to drop it on my desktop.
09:45
You can also install this to other browsers like opera or Firefox, but following instructions will be for Inter next. Warren Chrome. The easiest way that I found to install the street ticket is to double click on the file. If you're in Windows,
10:00
open it.
10:03
When we opened the certificate, you'll notice how it is not trusted
10:07
and says to enable to install it in the trusted Root Certification Authorities store. So that's what we'll do. Click install certificate
10:16
next
10:16
places certificate in the following store
10:20
brows.
10:20
When the select certificate store pops up,
10:24
select trusted root certification Authorities
10:26
hit. Okay,
10:28
next
10:30
and finish. This is a normal message, a security warning that you'll get explaining
10:37
as far as where this came from and we're gonna manually install it
10:41
and worry of installed.
10:43
Now we can continue with the rest of the configuration by configuring the SSL decryption rules and step four please note that these instructions air first setting up outbound SSL decryption again SSL forward proxy If you need instructions for setting up the inbound SSL decryption,
11:01
please see the admin guides that are listed in the transcript
11:05
or at the bottom of the end of the video for instructions on how to perform this to set up SSL decryption rules. Please go into the policies tab
11:15
and then on the left hand side you'll find decryption. This is where the rules will either allow to decrypt the SSL traffic to the firewall or to not to decrypt it. You can see that I already have two rules in place. One is to not Did you crypt? We call it Do not decrypt
11:31
and the other is to decrypt traffic.
11:35
We do recommend to avoid decrypting the following you earl categories as users may consider this an invasion of their privacy. Financial service is
11:45
and health and medicine also do not decrypt applications with the server requires a client side certificates for identification
11:56
because I already have the rules. I will show you what consists of these decryption rules. If you click on the 1st 1 for do not decrypt,
12:05
we simply see General, give it a name. Given any tags if you want to,
12:11
the source is going to be for ah trust zone
12:16
destined to untrusting. So it's going to be outbound traffic the Earl category because this is going to be for a do not decrypt. I have a do not decrypt custom your l as well as financial service is and health and medicine
12:31
and then any other options here. This is where you turn off the option to not to decrypt or to decrypt traffic. And then what type is it is? You have options for forward proxy and sshh proxy or SSL inbound inspection there
12:48
and then this is an option here for a decryption profile.
12:52
There's additional options if you need be
12:56
Next rule is for the decrypt. It looks exactly the same Source. Trust
13:01
destination on trust. You are all category is everything since we're signifying
13:07
the do not decrypt above and then everything else is to be decrypted and again you have an option to decrypt forward proxy
13:18
for any sites that do not work correctly. After you have enabled SSL decryption and or for anyone's that you would like to exclude from being decrypted, we recommend that you go into the
13:30
custom mural category that is located inside of objects
13:33
and then custom objects. You earl category.
13:37
I already have a Do not decrypt your l category here, but you can just simply click add give it a name and enter the sites that you do not want to decrypt.
13:50
I already have site x dot com www dot site dash x dot com. Even though these look exactly the same, they're completely different because you have www in front of it. It denotes it is a different domain. So now we can place that New York category in the
14:09
do not decrypt rule.
14:11
Now that we have the custom mural category for do Not decrypt, we can go back into the policies and decryption and for do not decrypt rule, I'll have already added, Do not decrypt for your l category.
14:24
Ah, we also have financial service is in health and medicine. If you need to add any additional Ural categories and click on the rule name,
14:33
go to the Ural category and add any of the needed your old categories.
14:39
The fifth step is to enable SSL decryption notification page, but that's an optional step. If you would like to do that per your security policy. That way the user can be notified that there s Cecil Connection is going to be decrypted and using a response page
14:56
found inside the device tab
15:00
and then the responses section in the response pages section, this SSL decryption opt out page.
15:09
This is where it will show you whether it's disabled or enabled, and that's how you choose. That last step is to commit the changes and test decryption.
15:18
Once you go ahead and commit the changes, we can then test for us to sell dog revision on the client. Back on my client machine here,
15:28
I can test a couple sites
15:30
Twitter,
15:33
Facebook
15:37
so we can see that the Twitter pages coming up and we don't have any errors.
15:43
The Facebook is coming up, asking us to log in again. No errors there so we can check the firewall logs to see what it shows. If it's decrypting the traffic back on the firewall
15:56
going to the monitor tab.
15:58
We're looking from
16:00
traffic from our source client machine here
16:04
and we can see
16:07
traffic Is SSL traffic here
16:12
And we noticed that inside the flag section it does show decrypted
16:18
indicating that we're actually decrypting the traffic and able to
16:22
examine all SSL traffic without issues. Please don't that if you attempt to access any sites that do not display properly after decryption is enabled, then you might have to add the site to the do not decrypt list or the do not decrypt custom mural category that you created
16:40
for all the steps to generate an import, a certificate for a Microsoft certificate server or more information,
16:45
please visit the how to implement and test SSL decryption doc that we have links inside the transcript. We also have links to all of the admin guides Version 5661 and seven. To be able to have additional information on SSL decryption and anything else that you need.
17:06
This concludes our video tutorial. We hope that you've enjoyed this video. Thank you so much for launching way also welcome all feet back below, so please don't be shy. Thank you very much.

Up Next