SSL Decryption

Video Activity

This video is designed to help you understand and configure SSL Decryption on PAN-OS 6.1. We'll be covering the following topics: What is SSL Decryption? Understanding Inbound and Outbound SSL Decryption (SSL Forward Proxy) Ensuring the Proper Certificate Authority on the Firewall Configuring SSL Decryption Rules Enabling SSL Decryption Notificatio...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

54 minutes
Video Description

This video is designed to help you understand and configure SSL Decryption on PAN-OS 6.1. We'll be covering the following topics:

  • What is SSL Decryption?

  • Understanding Inbound and Outbound SSL Decryption (SSL Forward Proxy)

  • Ensuring the Proper Certificate Authority on the Firewall

  • Configuring SSL Decryption Rules

  • Enabling SSL Decryption Notification Page (optional)

  • Committing Changes and Testing Decryption

Video Transcription
thistles Joe Deli often follow. Also networks Community Team Bringing You Apollo Alter Networks of Video Tutorial in today's video tutorial will be talking about how to get in figure SSL decryption. This video is designed to help you better understand and configure SSL decryption on Pan Os version 6.1.
We will be covering the following topics in this SSL decryption video tutorial.
Number one is what is SSL decryption number to understanding the two types of decryption inbound SSL and outbound as sis L. A description, also known as SSL forward proxy number three. To ensure the proper certificate, authority is installed on the firewall
and export the certificate Authority to install on client machines
number four. Configuring the SSL decryption Rules number five to enable SSL decryption notification page as an optional component. And lastly, to commit the changes and to test the decryption,
we'll start off of what is SSL decryption SSL, which is here sockets Layer is a security protocol that encrypts the data had to help keep data secure while on the Internet. SSL certificates have a key pair of public and a private key. These keys work together to establish an encrypted Connection
Panel s has the ability to decrypt and inspect SSL connections going through the firewall,
both inbound and outbound. SSL connections can be decrypted and inspected.
SSL decryption can occur on interfaces in a virtual wire or layer three mode.
The decryption rule bases used to configure which traffic to decrypt in particular decryption can be based upon your L categories as well as source, user and source, target or destination addresses. Once traffic is decrypted,
total applications can be detected and controlled
and the decrypted data can be inspected for threats. You earl filtering, file blocking and or data filtering. Please note that the decrypted traffic has never sent off of the device number twos. To understand the two types of decryption
inbound SSL decryption in this case, inbound traffic would be destined to an internal Web server or device. In order to configure this properly, the administrator imports a copy of the protected servers certificate and key. Once the SSL server certificate is loaded onto the firewall
and an SSL decryption policy is configured for the invalid traffic, the device will be able to decrypt and read the traffic as long as it forwards it on.
No changes will be made to the packet data and the secure channel will be built from the client system to the internal server. The firewall will be able to detect malicious content and control applications running over this secure channel.
Outbound SSL decryption is the second type of decryption, also known as SSL.
Forward proxy.
In this case, a firewall proxies the outbound SSL connections. It intercepts the outbound SSL requests and generates a certificate on the fly.
In this case of firewall proxies out balance SSL connections, it intercepts the SSL requests and generates a certificate in real time for the site that the user wishes to visit.
The validity date on the P A generated certificate is taken from the validity date on the rial server certificate when looking at the certificate. Information. The issuing authority of the Pollo Auto generated certificate is Apollo. Also Networks device if the
firewall certificate is not part of an existing hierarchy
or it is not added to a client's Web browser cache than the client will receive a warning message when it is browsing to a secure site. If the rial server certificate has been issued by an authority not trusted by the Pollo also networks firewall.
Then the decryption certificate will be issued using a second untrusted. See a key.
This is to ensure that the user will be warned that there is a subsequent man in the middle attacks occurring.
The third item is to ensure that the proper should difficult authorities on the firewall and export the certificate authority to install on the client machines, loading or generating a C. A certificate on the Pollo Alter Networks firewall was needed because a certificate authority A C A is required to decrypt traffic properly
by generating SSL certificates on the fly,
either a self signed certificate authority needs to be created on the firewall or sporting at sea. A from your own P K I infrastructure needs to be imported and then the forward trust certificate and forward on trust and certificate options need to be selected on one or more certificates
before the firewall is able to decrypt traffic.
Note. Because the SSL certificate providers like interest very sign digits, ERT and Go Daddy do not sell certificates. Authorities. They are not supported for the use in SSL decryption. Now let's look inside the gooey for the steps to generate a self signed certificate
from the fire. All gooey.
Please go to device
certificates management and then certificates inside of here underneath device certificates. We need to generate a new certificate inside of the certificate name. It can be anything that you want, but I'm going to choose to use SSL
as the name
and for the common name I'm choosing the firewalls trusted internal i P address which faces the client machines which is 1 72 the 16.77 don one
for the signed by. I'm going to choose to make this a certificate authority when a cheque certificate authority because the firewall itself is going to be generating certificates in real time. So this will actually serve two purposes. It will be an SSL certificate signed by the firewall itself
as well as a certificate authority.
If you wanted this certificate to be good for more than one year inside of the cryptographic settings, you can choose, let's say, two years inside of here, you could make it 730 days to make it for two years if you needed to put any additional certificate attributes. This is where you could put it down here.
Otherwise, just click. Generate to make a valid certificate and certificate authority.
it being successfully generated.
Notice how it says valid
Quick on the certificate again
inside of here. This is where we need to at a minimum having a forward trust certificate and I'm choosing to have forward untrusted certificate being the same certificate, but they can be separate certificates. If you need be
showing the usage here, you'll notice how it does say forward trust, certificate and untrusting. This signifies that this will be used for the SSL decryption. Please note. If self signed certificate authority is used,
the public see a certificate will need to be exported from the firewall and installed as a trusted root. See a on each of the machines browser to avoid
untrusted certificate air messages inside of your browser. Normally, network administrators will go through and use GPO to push out the certificate Teach workstation, but I will show you a manual way. Second note here,
when it comes to using the forward untrusted certificate, some ad men's choose to have a separate certificate just for this, as I stated before,
as long as you only have one forward trust certificate and one forward untrusting certificate marked. Then you'll be okay with keeping them separate to manually export the public. See a certificate. Let's go back inside the certificate section that we just were.
Make sure you check the check box next to the SL decrypt certificate
and at the bottom of the screen. Select export. When the export certificates screen shows up, make sure the export private key is not checked.
We can keep. The format is based 64 encoded certificate PM and hit OK
because you do not export the private key. There's no need to enter a password. It will download a copy of the certain SSL decrypt Sieroty file.
Once we have that file would need to export it off of the machine you're on and imported to the client machine. I'll be showing you how to do this on Internet Explorer or chrome. In order to get the exported certificate to the client machine, I use Google drive,
but to do this still, all the machines in your network one by one would be too time consuming
again. We recommend that you use GPO to push out this exported certificate to all of your client machines to allow SSL decryption to work properly on all new machines.
I have placed the SSL certificate
and see a certificate
on the Google drive here so I can access it from my client machine here next.
I'm now on my client machine here and I see the certificate. See a certificate here. I'm going to download it.
Once downloaded, I'm going to drop it on my desktop.
You can also install this to other browsers like opera or Firefox, but following instructions will be for Inter next. Warren Chrome. The easiest way that I found to install the street ticket is to double click on the file. If you're in Windows,
open it.
When we opened the certificate, you'll notice how it is not trusted
and says to enable to install it in the trusted Root Certification Authorities store. So that's what we'll do. Click install certificate
places certificate in the following store
When the select certificate store pops up,
select trusted root certification Authorities
hit. Okay,
and finish. This is a normal message, a security warning that you'll get explaining
as far as where this came from and we're gonna manually install it
and worry of installed.
Now we can continue with the rest of the configuration by configuring the SSL decryption rules and step four please note that these instructions air first setting up outbound SSL decryption again SSL forward proxy If you need instructions for setting up the inbound SSL decryption,
please see the admin guides that are listed in the transcript
or at the bottom of the end of the video for instructions on how to perform this to set up SSL decryption rules. Please go into the policies tab
and then on the left hand side you'll find decryption. This is where the rules will either allow to decrypt the SSL traffic to the firewall or to not to decrypt it. You can see that I already have two rules in place. One is to not Did you crypt? We call it Do not decrypt
and the other is to decrypt traffic.
We do recommend to avoid decrypting the following you earl categories as users may consider this an invasion of their privacy. Financial service is
and health and medicine also do not decrypt applications with the server requires a client side certificates for identification
because I already have the rules. I will show you what consists of these decryption rules. If you click on the 1st 1 for do not decrypt,
we simply see General, give it a name. Given any tags if you want to,
the source is going to be for ah trust zone
destined to untrusting. So it's going to be outbound traffic the Earl category because this is going to be for a do not decrypt. I have a do not decrypt custom your l as well as financial service is and health and medicine
and then any other options here. This is where you turn off the option to not to decrypt or to decrypt traffic. And then what type is it is? You have options for forward proxy and sshh proxy or SSL inbound inspection there
and then this is an option here for a decryption profile.
There's additional options if you need be
Next rule is for the decrypt. It looks exactly the same Source. Trust
destination on trust. You are all category is everything since we're signifying
the do not decrypt above and then everything else is to be decrypted and again you have an option to decrypt forward proxy
for any sites that do not work correctly. After you have enabled SSL decryption and or for anyone's that you would like to exclude from being decrypted, we recommend that you go into the
custom mural category that is located inside of objects
and then custom objects. You earl category.
I already have a Do not decrypt your l category here, but you can just simply click add give it a name and enter the sites that you do not want to decrypt.
I already have site x dot com www dot site dash x dot com. Even though these look exactly the same, they're completely different because you have www in front of it. It denotes it is a different domain. So now we can place that New York category in the
do not decrypt rule.
Now that we have the custom mural category for do Not decrypt, we can go back into the policies and decryption and for do not decrypt rule, I'll have already added, Do not decrypt for your l category.
Ah, we also have financial service is in health and medicine. If you need to add any additional Ural categories and click on the rule name,
go to the Ural category and add any of the needed your old categories.
The fifth step is to enable SSL decryption notification page, but that's an optional step. If you would like to do that per your security policy. That way the user can be notified that there s Cecil Connection is going to be decrypted and using a response page
found inside the device tab
and then the responses section in the response pages section, this SSL decryption opt out page.
This is where it will show you whether it's disabled or enabled, and that's how you choose. That last step is to commit the changes and test decryption.
Once you go ahead and commit the changes, we can then test for us to sell dog revision on the client. Back on my client machine here,
I can test a couple sites
so we can see that the Twitter pages coming up and we don't have any errors.
The Facebook is coming up, asking us to log in again. No errors there so we can check the firewall logs to see what it shows. If it's decrypting the traffic back on the firewall
going to the monitor tab.
We're looking from
traffic from our source client machine here
and we can see
traffic Is SSL traffic here
And we noticed that inside the flag section it does show decrypted
indicating that we're actually decrypting the traffic and able to
examine all SSL traffic without issues. Please don't that if you attempt to access any sites that do not display properly after decryption is enabled, then you might have to add the site to the do not decrypt list or the do not decrypt custom mural category that you created
for all the steps to generate an import, a certificate for a Microsoft certificate server or more information,
please visit the how to implement and test SSL decryption doc that we have links inside the transcript. We also have links to all of the admin guides Version 5661 and seven. To be able to have additional information on SSL decryption and anything else that you need.
This concludes our video tutorial. We hope that you've enjoyed this video. Thank you so much for launching way also welcome all feet back below, so please don't be shy. Thank you very much.
Up Next