How To Implement And Test Ssl Decryption Palo Alto Networks Live 5n4m6i
This document was ed by and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this report form. Report 3i3n4
Overview 26281t
& View How To Implement And Test Ssl Decryption Palo Alto Networks Live as PDF for free.
More details 6y5l6z
- Words: 2,454
- Pages: 14
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
All Places > Knowledge Base > Documents
How to Implement and Test SSL Decryption
Version 37
created by nrice on Apr 17, 2010 3:39 PM, last modified by panagent on Mar 13, 2015 12:40 PM
Overview PAN-OS has the ability to decrypt and inspect SSL connections going through the firewall. Both inbound and outbound SSL connections can be decrypted and inspected. SSL decryption can occur on interfaces in virtual wire or Layer 3 mode. The SSL rulebase is used to configure which traffic to decrypt. In particular, decryption can be based upon URL categories as well as source , and source/target addresses. Once traffic is decrypted, tunneled applications can be detected and controlled, and the decrypted data can be inspected for threats/URL filtering/file blocking/data filtering. Note that decrypted traffic is never sent off of the device. Inbound SSL decryption In this case, traffic would be inbound destined to an internal Web Server or device. In order to configure this properly, the imports a copy of the protected server’s certificate and key. Once the SSL server certificate is loaded on the firewall, and a SSL decryption policy is configured for the inbound traffic, the device will be able to decrypt and read the traffic as it forwards it on. No changes will be made to the packet data, and the secure channel will be built from the client system to the internal server. The firewall will be able to detect malicious content and control applications running over this secure channel. Outbound SSL decryption (called “SSL forward proxy”) In this case, the firewall proxies outbound SSL connections. It intercepts the outbound SSL requests and generates a certificate on the fly, for the site the wishes to visit. The validity date on the PA-generated certificate is taken from the validity date on the real server certificate. The issuing authority of the PA-generated certificate is the Palo Alto Networks device. If the firewall’s certificate is not part of an existing hierarchy, or is not added to a client’s browser cache, then the client will receive a warning message when browsing to a secure site. If the real server certificate has been issued by an authority not trusted by the Palo Alto Networks firewall, then the decryption certificate will be issued using a second “untrusted” CA key. This is to insure that the will be warned if there are subsequent man-in-the-middle attacks occurring.
The following is an overview of the steps to configure SSL decryption: 1. Configure the firewall to handle traffic and place it in the network. 2. Ensure the proper Certificate Authority is on the firewall. 3. Configure SSL decryption rules. 4. Enable SSL decryption notification page (optional). 5. Commit changes, and test decryption. Step 1: Configure the firewall to handle traffic and place it in the network This document assumes that the Palo Alto Networks firewall is already configured with working Interfaces(Virtual Wire or Layer 3), Zones, Security Policy and already be ing traffic. https://live.paloaltonetworks.com/docs/DOC-1412
Page 1 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
Step 2: Loading or Generating a CA certificate on the Palo Alto Networks firewall Because a Certificate Authority (CA) is required to decrypt traffic properly by generating SSL certificates on the fly, a self-signed CA needs to be created on the Firewall or a Subordinate CA needs to be imported and the "Forward Trust Certificate" and "Forward Untrust Certificate" need to be selected on 1 or more certificates before the Firewall is able to decrypt traffic. NOTE: Because SSL Certificate providers like Entrust, Verisign, Digicert and GoDaddy do not sell CA's, they are not ed for use in SSL Decryption. In the firewall GUI, go to Device > Certificates. Load or generate a certificate for either inbound inspection, or for outbound (forward proxy) inspection. Steps to Generate a Self Signed Certificate It is recommended to use a Self Signed Certificate. For information on generating a Self Signed Certificate, please see the following document: How to Generate a New Self-Signed Certificate Steps to generate and import a certificate from Microsoft Certificate Server 1. On the Microsoft Certificate Server for your organization, request an advanced certificate using certificate template “subordinate CA”. the cert. 2. Once the certificate is ed, it will need to be exported from the local certificate store. In IE, this is accomplished by accessing the Internet Options dialog, selecting the Content tab and pressing the Certificates button. The new certificate should be in the Personal certificate store and can then be exported from there. The export button will invoke the “Certificate Export Wizard”. Select to export the private key and then select the format. A prompt will appear to supply a phrase and a file name/ location for the resulting file. The certificate will be in a PFX format (PKCS #12). 3. To extract the certificate, use this openSSL[4] command: openssl pkcs12 –in pfxfilename.pfx –out cert.pem –nokeys 4. To extract the key, use this openSSL command: openssl pkcs12 –in pfxfilename.pfx –out keyfile.pem -nocerts 5. Import the cert.pem file and keyfile.pem file into the Palo Alto Networks firewall on the Device tab > Certificates screen. 6. In the case of an HA Pair, also load these files into the second Palo Alto Networks firewall, or copy the certificate and key via the High Availability widget on the dashboard. See the screenshot below showing how the "Forward Trust" and "Forward Untrust" certificate
https://live.paloaltonetworks.com/docs/DOC-1412
Page 2 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
NOTE: If a self-signed CA is used, the public CA Certificate will need to be exported from the Firewall, and installed as a Trusted Root CA on each machines Browser to avoid Untrusted Certificate error messages inside your browser. Normally Network s will go through and use GPO to push out this certificate to each workstation. Examples of browser errors that can be seen from the browser if the Self Signed CA Certificate is not trusted: Firefox untrusted CA error:
https://live.paloaltonetworks.com/docs/DOC-1412
Page 3 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
Chrome untrusted CA error:
Internet Explorer untrusted CA error:
https://live.paloaltonetworks.com/docs/DOC-1412
Page 4 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
Step 3: Configuring SSL decryption rules It is up to every to determine what does and what does not need to decrypted. Below are some suggestions for configuring SSL decryption rules: Implement rules in a phased approach. Start with very specific rules for decryption, and monitor the typical number of SSL connections being decrypted by the device (refer to Appendix A for those commands). Avoid decrypting the following URL categories, as s may consider this to be an invasion of privacy: Financial services Health-and-medicine Do not decrypt applications where the server requires client-side certificates(for identification). You can either block or allow connections requiring client authentication via the decryption profile feature introduced in PAN-OS 5.0. Here is an example outbound rulebase that follows the above suggestions:
Step 4: Enable SSL decryption notification web page (optional) https://live.paloaltonetworks.com/docs/DOC-1412
Page 5 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
The can be notified that their SSL connection is going to be decrypted using the response page found on the Device tab > Response Pages screen. Click "Disabled" and then check the "Enable SSL Opt-out Page" option and hit OK.
This page can be exported, edited via an html editor, and imported to give company-specific information. Here is an example of the default page:
Step 5: Testing To test outbound decryption: Make sure that in the outbound policy, the action is to alert for any viruses found. Also enable packet capture on that anti-virus security profile. Commit any changes made. On a PC internal to the firewall, go to www.eicar.org. In the top-right hand corner:
Click on “ anti-malware testfile”. In the screen that appears, scroll down to the bottom. the eicar test virus using http. Any of the 4 files shown here will be detected.
https://live.paloaltonetworks.com/docs/DOC-1412
Page 6 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
Go to the Monitor tab > Threat log, and look for the log message that detects the eicar file
Click on the green down arrow in the left-hand column. This brings up a view of the packets that were captured.
https://live.paloaltonetworks.com/docs/DOC-1412
Page 7 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
Also, click on the magnifying class in the far left column to see the log detail.
Scroll to the bottom, and look for the field “Decrypted.” The session was not decrypted:
https://live.paloaltonetworks.com/docs/DOC-1412
Page 8 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
Go back to the www.eicar.org s page. This time use SSL enabled protocol HTTPS to the test virus.
Examine the Threat logs. The virus should have been detected, since the SSL connection was decrypted. A log message that shows Eicar was detected in web browsing on port 443 will be visible.
https://live.paloaltonetworks.com/docs/DOC-1412
Page 9 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
View the packet capture (optional) by clicking on the green down arrow.
To the left of that log entry, click on the magnifying class. Scroll to the bottom, and look for the field “Decrypted” and it should be checked:
https://live.paloaltonetworks.com/docs/DOC-1412
Page 10 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
Therefore, the virus was successfully detected in an SSL-encrypted session. To test the “no-decrypt” rule, first determine what URLs fall into the financial services, shopping, or health and medicine categories. For BrightCloud, go to http://www.brightcloud.com/testasite.aspx For PAN-DB, use Palo Alto Networks URL Filtering - Test A Site , and enter a URL to see what the category is. Once web sites that are classified into categories that will NOT be decrypted are found, use a browser to go to those sites using https. There should not be a certificate error when going to those sites. The web pages will be displayed properly. Traffic logs will show the sessions on which application SSL going over port 443, as expected To test inbound decryption: Examine the traffic logs that are dated PRIOR to when SSL is enabled for inbound decryption on the firewall. Look at traffic targeted towards the internal servers. In those logs, the application detected should be “ssl”, going over port 443. From a machine outside of the network, connect via SSL to a server in the DMZ. There will be no certificate errors, as the connection is not being proxied, just inspected. Examine the logs for this inbound connection. The applications will not be “ssl”, but the actual applications found inside the SSL tunnel. Click on the magnifying glass icon in those log entries to confirm that the connections were decrypted. https://live.paloaltonetworks.com/docs/DOC-1412
Page 11 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
Appendix A Helpful CLI Commands To see how many existing SSL decryption sessions are going through the device at this moment: > debug dataplane pool statistics | match Proxy Here is output from a PA-2050, where the first command shows 1024 available sessions, and the output of the second command shows there are 5 SSL sessions being decrypted (1024–1019=5): @test> debug dataplane pool statistics | match Proxy [18] Proxy session
:
1019/1024
0x7f00723f1ee0
To see the active sessions that have been decrypted: > show session all filter ssl-decrypt yes state active The following is the maximum number of concurrent SSL decrypted sessions in PAN-OS 4.1, 5.0, 6.0 and 6.1(both directions combined): Hardware
SSL Decypted Session Limit
VM-100
1,024 sessions
VM-200
1,024 sessions
VM-300
1,024 sessions
PA-200
1,024 sessions
PA-500
1,024 sessions
PA-2020
1,024 sessions
PA-2050
1,024 sessions
PA-4020
7,936 sessions
PA-4050
23,808 sessions
PA-4060
23,808 sessions
PA-5020
15,872 sessions
PA-5050
47,616 sessions
PA-5060
90,112 sessions
https://live.paloaltonetworks.com/docs/DOC-1412
Page 12 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
PA-7000-20G-NPC
131,072 sessions
PA-7050
786,432 sessions
If the limit is reached, all new SSL sessions go through as undecrypted SSL. To drop any new SSL sessions beyond the session limit of the device: > set deviceconfig setting ssl-decrypt deny-setup-failure yes To check if there are any sessions hitting the limit of the device: > show counter global name proxy_flow_alloc_failure To view the SSL decryption certificate: > show system setting ssl-decrypt certificate Certificates for Global SSL Decryption CERT global trusted ssl-decryption x509 certificate version 2 cert algorithm 4 valid 150310210236Z -- 210522210236Z cert pki 1 subject: 172.16.77.1 issuer: 172.16.77.1 serial number(9) 00 b6 96 7e c9 99 1f a8
f7
...~.... .
rsa key size 2048 siglen 2048 basic constraints extension CA 1 global untrusted ssl-decryption x509 certificate version 2 cert algorithm 4 valid 150310210236Z -- 210522210236Z cert pki 1 subject: 172.16.77.1 issuer: 172.16.77.1 serial number(9) 00 b6 96 7e c9 99 1f a8
f7
...~.... .
rsa key size 2048 siglen 2048 basic constraints extension CA 1 To view SSL decryption settings: > show system setting ssl-decrypt setting vsys https://live.paloaltonetworks.com/docs/DOC-1412
: vsys1 Page 13 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
Forward Proxy Ready
: yes
Inbound Proxy Ready
: no
Disable ssl
: no
Disable ssl-decrypt
: no
Notify
: no
Proxy for URL
: no
Wait for URL
: no
Block revoked Cert
: yes
Block timeout Cert
: no
Block unknown Cert
: no
Cert Status Query Timeout URL Category Query Timeout
3/24/15, 6:50 AM
: 5 : 5
Fwd proxy server cert's key size: 0 Use Cert Cache
: yes
CRL
: no
OCSP CRL Status receive Timeout OCSP Status receive Timeout Block unknown Cert
: no : 5 : 5 : no
For a list of resources about SSL Decryption, please see: SSL Decryption Resources For more information on ed Cipher Suites for SSL Decryption, please see: Inbound SSL Decryption Not Working Due to Uned Cipher Suites Limitations and Recommendations While Implementing SSL Decryption How to Identify Root Cause for SSL Decryption Failure Issues NOTE: If you think anything else needs to be added to this document, please comment below. owner: jdelio
53876 Views Categories: Certificates , Policies Tags: decryption, ssl_decryption_policy, how_to_configure, implement, test_ssl_decryption
Average Rating (28 ratings)
27 Comments
https://live.paloaltonetworks.com/docs/DOC-1412
Page 14 of 20
3/24/15, 6:50 AM
All Places > Knowledge Base > Documents
How to Implement and Test SSL Decryption
Version 37
created by nrice on Apr 17, 2010 3:39 PM, last modified by panagent on Mar 13, 2015 12:40 PM
Overview PAN-OS has the ability to decrypt and inspect SSL connections going through the firewall. Both inbound and outbound SSL connections can be decrypted and inspected. SSL decryption can occur on interfaces in virtual wire or Layer 3 mode. The SSL rulebase is used to configure which traffic to decrypt. In particular, decryption can be based upon URL categories as well as source , and source/target addresses. Once traffic is decrypted, tunneled applications can be detected and controlled, and the decrypted data can be inspected for threats/URL filtering/file blocking/data filtering. Note that decrypted traffic is never sent off of the device. Inbound SSL decryption In this case, traffic would be inbound destined to an internal Web Server or device. In order to configure this properly, the imports a copy of the protected server’s certificate and key. Once the SSL server certificate is loaded on the firewall, and a SSL decryption policy is configured for the inbound traffic, the device will be able to decrypt and read the traffic as it forwards it on. No changes will be made to the packet data, and the secure channel will be built from the client system to the internal server. The firewall will be able to detect malicious content and control applications running over this secure channel. Outbound SSL decryption (called “SSL forward proxy”) In this case, the firewall proxies outbound SSL connections. It intercepts the outbound SSL requests and generates a certificate on the fly, for the site the wishes to visit. The validity date on the PA-generated certificate is taken from the validity date on the real server certificate. The issuing authority of the PA-generated certificate is the Palo Alto Networks device. If the firewall’s certificate is not part of an existing hierarchy, or is not added to a client’s browser cache, then the client will receive a warning message when browsing to a secure site. If the real server certificate has been issued by an authority not trusted by the Palo Alto Networks firewall, then the decryption certificate will be issued using a second “untrusted” CA key. This is to insure that the will be warned if there are subsequent man-in-the-middle attacks occurring.
The following is an overview of the steps to configure SSL decryption: 1. Configure the firewall to handle traffic and place it in the network. 2. Ensure the proper Certificate Authority is on the firewall. 3. Configure SSL decryption rules. 4. Enable SSL decryption notification page (optional). 5. Commit changes, and test decryption. Step 1: Configure the firewall to handle traffic and place it in the network This document assumes that the Palo Alto Networks firewall is already configured with working Interfaces(Virtual Wire or Layer 3), Zones, Security Policy and already be ing traffic. https://live.paloaltonetworks.com/docs/DOC-1412
Page 1 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
Step 2: Loading or Generating a CA certificate on the Palo Alto Networks firewall Because a Certificate Authority (CA) is required to decrypt traffic properly by generating SSL certificates on the fly, a self-signed CA needs to be created on the Firewall or a Subordinate CA needs to be imported and the "Forward Trust Certificate" and "Forward Untrust Certificate" need to be selected on 1 or more certificates before the Firewall is able to decrypt traffic. NOTE: Because SSL Certificate providers like Entrust, Verisign, Digicert and GoDaddy do not sell CA's, they are not ed for use in SSL Decryption. In the firewall GUI, go to Device > Certificates. Load or generate a certificate for either inbound inspection, or for outbound (forward proxy) inspection. Steps to Generate a Self Signed Certificate It is recommended to use a Self Signed Certificate. For information on generating a Self Signed Certificate, please see the following document: How to Generate a New Self-Signed Certificate Steps to generate and import a certificate from Microsoft Certificate Server 1. On the Microsoft Certificate Server for your organization, request an advanced certificate using certificate template “subordinate CA”. the cert. 2. Once the certificate is ed, it will need to be exported from the local certificate store. In IE, this is accomplished by accessing the Internet Options dialog, selecting the Content tab and pressing the Certificates button. The new certificate should be in the Personal certificate store and can then be exported from there. The export button will invoke the “Certificate Export Wizard”. Select to export the private key and then select the format. A prompt will appear to supply a phrase and a file name/ location for the resulting file. The certificate will be in a PFX format (PKCS #12). 3. To extract the certificate, use this openSSL[4] command: openssl pkcs12 –in pfxfilename.pfx –out cert.pem –nokeys 4. To extract the key, use this openSSL command: openssl pkcs12 –in pfxfilename.pfx –out keyfile.pem -nocerts 5. Import the cert.pem file and keyfile.pem file into the Palo Alto Networks firewall on the Device tab > Certificates screen. 6. In the case of an HA Pair, also load these files into the second Palo Alto Networks firewall, or copy the certificate and key via the High Availability widget on the dashboard. See the screenshot below showing how the "Forward Trust" and "Forward Untrust" certificate
https://live.paloaltonetworks.com/docs/DOC-1412
Page 2 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
NOTE: If a self-signed CA is used, the public CA Certificate will need to be exported from the Firewall, and installed as a Trusted Root CA on each machines Browser to avoid Untrusted Certificate error messages inside your browser. Normally Network s will go through and use GPO to push out this certificate to each workstation. Examples of browser errors that can be seen from the browser if the Self Signed CA Certificate is not trusted: Firefox untrusted CA error:
https://live.paloaltonetworks.com/docs/DOC-1412
Page 3 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
Chrome untrusted CA error:
Internet Explorer untrusted CA error:
https://live.paloaltonetworks.com/docs/DOC-1412
Page 4 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
Step 3: Configuring SSL decryption rules It is up to every to determine what does and what does not need to decrypted. Below are some suggestions for configuring SSL decryption rules: Implement rules in a phased approach. Start with very specific rules for decryption, and monitor the typical number of SSL connections being decrypted by the device (refer to Appendix A for those commands). Avoid decrypting the following URL categories, as s may consider this to be an invasion of privacy: Financial services Health-and-medicine Do not decrypt applications where the server requires client-side certificates(for identification). You can either block or allow connections requiring client authentication via the decryption profile feature introduced in PAN-OS 5.0. Here is an example outbound rulebase that follows the above suggestions:
Step 4: Enable SSL decryption notification web page (optional) https://live.paloaltonetworks.com/docs/DOC-1412
Page 5 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
The can be notified that their SSL connection is going to be decrypted using the response page found on the Device tab > Response Pages screen. Click "Disabled" and then check the "Enable SSL Opt-out Page" option and hit OK.
This page can be exported, edited via an html editor, and imported to give company-specific information. Here is an example of the default page:
Step 5: Testing To test outbound decryption: Make sure that in the outbound policy, the action is to alert for any viruses found. Also enable packet capture on that anti-virus security profile. Commit any changes made. On a PC internal to the firewall, go to www.eicar.org. In the top-right hand corner:
Click on “ anti-malware testfile”. In the screen that appears, scroll down to the bottom. the eicar test virus using http. Any of the 4 files shown here will be detected.
https://live.paloaltonetworks.com/docs/DOC-1412
Page 6 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
Go to the Monitor tab > Threat log, and look for the log message that detects the eicar file
Click on the green down arrow in the left-hand column. This brings up a view of the packets that were captured.
https://live.paloaltonetworks.com/docs/DOC-1412
Page 7 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
Also, click on the magnifying class in the far left column to see the log detail.
Scroll to the bottom, and look for the field “Decrypted.” The session was not decrypted:
https://live.paloaltonetworks.com/docs/DOC-1412
Page 8 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
Go back to the www.eicar.org s page. This time use SSL enabled protocol HTTPS to the test virus.
Examine the Threat logs. The virus should have been detected, since the SSL connection was decrypted. A log message that shows Eicar was detected in web browsing on port 443 will be visible.
https://live.paloaltonetworks.com/docs/DOC-1412
Page 9 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
View the packet capture (optional) by clicking on the green down arrow.
To the left of that log entry, click on the magnifying class. Scroll to the bottom, and look for the field “Decrypted” and it should be checked:
https://live.paloaltonetworks.com/docs/DOC-1412
Page 10 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
Therefore, the virus was successfully detected in an SSL-encrypted session. To test the “no-decrypt” rule, first determine what URLs fall into the financial services, shopping, or health and medicine categories. For BrightCloud, go to http://www.brightcloud.com/testasite.aspx For PAN-DB, use Palo Alto Networks URL Filtering - Test A Site , and enter a URL to see what the category is. Once web sites that are classified into categories that will NOT be decrypted are found, use a browser to go to those sites using https. There should not be a certificate error when going to those sites. The web pages will be displayed properly. Traffic logs will show the sessions on which application SSL going over port 443, as expected To test inbound decryption: Examine the traffic logs that are dated PRIOR to when SSL is enabled for inbound decryption on the firewall. Look at traffic targeted towards the internal servers. In those logs, the application detected should be “ssl”, going over port 443. From a machine outside of the network, connect via SSL to a server in the DMZ. There will be no certificate errors, as the connection is not being proxied, just inspected. Examine the logs for this inbound connection. The applications will not be “ssl”, but the actual applications found inside the SSL tunnel. Click on the magnifying glass icon in those log entries to confirm that the connections were decrypted. https://live.paloaltonetworks.com/docs/DOC-1412
Page 11 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
Appendix A Helpful CLI Commands To see how many existing SSL decryption sessions are going through the device at this moment: > debug dataplane pool statistics | match Proxy Here is output from a PA-2050, where the first command shows 1024 available sessions, and the output of the second command shows there are 5 SSL sessions being decrypted (1024–1019=5): @test> debug dataplane pool statistics | match Proxy [18] Proxy session
:
1019/1024
0x7f00723f1ee0
To see the active sessions that have been decrypted: > show session all filter ssl-decrypt yes state active The following is the maximum number of concurrent SSL decrypted sessions in PAN-OS 4.1, 5.0, 6.0 and 6.1(both directions combined): Hardware
SSL Decypted Session Limit
VM-100
1,024 sessions
VM-200
1,024 sessions
VM-300
1,024 sessions
PA-200
1,024 sessions
PA-500
1,024 sessions
PA-2020
1,024 sessions
PA-2050
1,024 sessions
PA-4020
7,936 sessions
PA-4050
23,808 sessions
PA-4060
23,808 sessions
PA-5020
15,872 sessions
PA-5050
47,616 sessions
PA-5060
90,112 sessions
https://live.paloaltonetworks.com/docs/DOC-1412
Page 12 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
3/24/15, 6:50 AM
PA-7000-20G-NPC
131,072 sessions
PA-7050
786,432 sessions
If the limit is reached, all new SSL sessions go through as undecrypted SSL. To drop any new SSL sessions beyond the session limit of the device: > set deviceconfig setting ssl-decrypt deny-setup-failure yes To check if there are any sessions hitting the limit of the device: > show counter global name proxy_flow_alloc_failure To view the SSL decryption certificate: > show system setting ssl-decrypt certificate Certificates for Global SSL Decryption CERT global trusted ssl-decryption x509 certificate version 2 cert algorithm 4 valid 150310210236Z -- 210522210236Z cert pki 1 subject: 172.16.77.1 issuer: 172.16.77.1 serial number(9) 00 b6 96 7e c9 99 1f a8
f7
...~.... .
rsa key size 2048 siglen 2048 basic constraints extension CA 1 global untrusted ssl-decryption x509 certificate version 2 cert algorithm 4 valid 150310210236Z -- 210522210236Z cert pki 1 subject: 172.16.77.1 issuer: 172.16.77.1 serial number(9) 00 b6 96 7e c9 99 1f a8
f7
...~.... .
rsa key size 2048 siglen 2048 basic constraints extension CA 1 To view SSL decryption settings: > show system setting ssl-decrypt setting vsys https://live.paloaltonetworks.com/docs/DOC-1412
: vsys1 Page 13 of 20
How to Implement and Test SSL Decryption | Palo Alto Networks Live
Forward Proxy Ready
: yes
Inbound Proxy Ready
: no
Disable ssl
: no
Disable ssl-decrypt
: no
Notify
: no
Proxy for URL
: no
Wait for URL
: no
Block revoked Cert
: yes
Block timeout Cert
: no
Block unknown Cert
: no
Cert Status Query Timeout URL Category Query Timeout
3/24/15, 6:50 AM
: 5 : 5
Fwd proxy server cert's key size: 0 Use Cert Cache
: yes
CRL
: no
OCSP CRL Status receive Timeout OCSP Status receive Timeout Block unknown Cert
: no : 5 : 5 : no
For a list of resources about SSL Decryption, please see: SSL Decryption Resources For more information on ed Cipher Suites for SSL Decryption, please see: Inbound SSL Decryption Not Working Due to Uned Cipher Suites Limitations and Recommendations While Implementing SSL Decryption How to Identify Root Cause for SSL Decryption Failure Issues NOTE: If you think anything else needs to be added to this document, please comment below. owner: jdelio
53876 Views Categories: Certificates , Policies Tags: decryption, ssl_decryption_policy, how_to_configure, implement, test_ssl_decryption
Average Rating (28 ratings)
27 Comments
https://live.paloaltonetworks.com/docs/DOC-1412
Page 14 of 20
Related Documents 3h463d
Palo Alto Networks 1o4554
November 2019 57
Palo Alto Networks Vs Fortinet 474243
November 2019 61
Palo Alto - How To Configure Captive Portal 4zf1f
November 2019 60
Palo Alto Networks Vs Checkpoint App Blade 176l2e
November 2019 46
Palo Alto Networks Visio Index Sheet 443u30
November 2019 54
Palo Alto Firewall Virtualization 6e6v73
November 2019 51More Documents from "Chau Nguyen" 4p5055
4p345f
October 2019 54
4p345f
May 2021 0
Setting A Service Route For Services To Use A D... i4j57
February 2022 0
Wildfire Data Sheet 1d2wp
December 2019 43
4p345f
October 2019 73