For SSL traffic PA uses the CN or SNI on the cert to identify the 'URL'. PAN-OS can decrypt and inspect SSL inbound and outbound connections going through the firewall. To get an idea of sizing, you should follow the following rules of thumb: Do not size based on decrypt-all performance stats. The growth in encrypted (SSL/TLS) traffic traversing the Internet is on an explosive up-turn. Configuration of SSL Inbound Inspection. Create policy rules to decrypt the rest of the traffic by configuring SSL Forward Proxy, SSL Inbound Inspection , and SSH Proxy. That's about all you will be able to see without being a MITM for the SSL Session. Configure the Firewall to Handle Traffic and Place it in the Network Make sure the Palo Alto Networks firewall is already configured with working interfaces (i.e., Virtual Wire, Layer 2, or Layer 3), Zones, Security Policy, and already passing traffic. SSL Decryption. Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping. I heard recently from my coworkers about two situations where enabling ssl decryption in PA-500/PA-3020 (These are the ones I heard about), cause high management plane CPU usage. It should be mentioned that this "SSL Decryption Exclusion" list is only in 8.x, and yes it works quite well. Retrieve User Mappings from a Terminal Server Using the PAN-OS XML API. # set shared ssl-decrypt ssl-exclude-cert <value> In your case it would be: # set shared ssl-decrypt ssl-exclude-cert "*.dropbox.com" # commit The result will create an exclude rule for a single URL. Decryption: Why, Where and How. What Do You Want To Do? Perfect Forward Secrecy (PFS) Support for SSL Decryption. Add exclusions to bypass decryption for special circumstances:You will need to bypass decryption in certain circumstances, such as for traffic that breaks upon decryption, specific users who need to bypass decryption for legal reasons, or partner websites that may be allowed to bypass strict certificate checks. SSL decryption can be used to monitor for any signs that a company's valuable intellectual property might be exiting through their network. By enabling decryption on your next-gen firewalls you can inspect and control SSL/TLS and SSH traffic so that you can detect and prevent threats that would otherwise remain hidden in encrypted traffic. Make sure certificate is installed on the firewall. Calculate % of decrypted traffic Calculate bytes for categories that will be decrypted Calculate total TCP/443 bytes Step 3. Create a decryption policy rule SSL Inbound Inspection to define traffic for the firewall. Step 4. It does not make sense to me, since Palo Alto architecture have specific processor for that (Security Processing) in data plane. Step 1. Your NGFW must allow SSL opt-out so users are notified that their session is about to be decrypted and can choose to proceed or terminate the session. Use the best practice guidelines in this site to learn how to plan for and deploy decryption in your organization. Resolution Overview SSL decryption gives the Palo Alto Networks firewall the ability to see inside of secure HTTP traffic that would otherwise be hidden. SSL Decryption will definitely have an impact on the performance of your firewall. . 2. Applications SSL (Secure Sockets Layer) is a security protocol that encrypts data to help keep information secure while on the internet. And, unfortunately, criminals have learned to leverage the lack of visibility and identification within encrypted traffic to hide from security surveillance and deliver malware. Allow users to opt out of SSL decryption: In some cases, you might need to alert users that the NGFW is decrypting certain web traffic and allow them to terminate sessions they do not want inspected. Palo Alto Firewall. By enabling decryption on your next-gen firewalls you can inspect and control SSL/TLS and SSH traffic so that you can detect and prevent threats that would otherwise remain hidden in encrypted traffic. What Do You Want To Do? Steps to Configure SSL Decryption 1. The domains selected with the "Exclude from decryption" in this location will not be decrypted by the Palo Alto Networks device. Always decrypt the online-storage-and-backup, web-based-email, web-hosting, personal-sites-and-blogs, content-delivery-networks, and high-risk URL categories. SSL Decryption Traffic that has been encrypted using the protocols SSL and SSH can be decrypted to ensure that these protocols are being used for the intended purposes only, and not to conceal unwanted activity or malicious content. Jun 21, 2021 at 12:00 AM. SSL Decryption will not work or take effect under the following scenarios: Limitations Forward proxy decryption does not work with mutual authentication The server expects user certificate to be presented during handshake, and the Palo Alto Networks firewall does not have access to the user's private key and certificate If you can't decypt everything, always decrypt the online-storage-and-backup, web-based-email, web-hosting, personal-sites-and-blogs, content-delivery-networks, and high-risk URL categories. SSL certificates have a key pair: public and private, which work together to establish a connection. Read this . dallanwagz 5 yr. ago You can look at the Common Name of the certificate. Use the best practice guidelines in this site to learn how to plan for and deploy decryption in your organization. Any PAN-OS. SSL Decryption is the ability to view inside of Secure HTTP traffic (SSL) as it passes through the Palo Alto Networks firewall. Limit SSH Proxy to administrators who manage network devices, log all SSH traffic, and configure Multi-Factor Authentication to prevent unauthorized SSH access. Share. SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates. You can use the following command to exclude individual urls. Configure interfaces as either virtual wire, Layer 2, or Layer 3 interfaces. Before SSL Decryption, firewall admins would have no access to the information inside an encrypted SSL packet, essentially, masking all activity. Step 2. This list of domains are added the SSL Decryption Exclusion list in each Content load so that the SSL engine will allow them to pass through, rather than trying to decrypt them.