Professional Documents
Culture Documents
PANOS has the ability to decrypt and inspect SSL connections going through the firewall. Both
inbound and outbound SSL connections can be decrypted and inspected. SSL decryption can
occur on interfaces in virtual wire or Layer 3 mode1. The SSL rulebase is used to configure
which traffic to decryptin particular, decryption can be based upon URL categories, as well as
source user, and source/target addresses.
Once traffic is decrypted, tunneled applications can be detected and controlled, and the decrypted
data can be inspected for threats/URL filtering/file blocking/data filtering. Note that decrypted
traffic is never sent off of the device.
Overview of operation
Inbound SSL decryption
In this case, the administrator imports a copy of the protected servers certificate and key.
Once the SSL server certificate is loaded on the firewall, and a SSL decryption policy is
configured for the inbound traffic, the device will be able to decrypt and read the traffic
as it forwards it on. No changes will be made to the packet data, and the secure channel
will be built from the client system to the internal server. The firewall will be able to
detect malicious content and control applications running over this secure channel.
Outbound SSL decryption (called SSL forward proxy)
In this case, the firewall proxies the outbound connections. It intercepts the outbound
requests, and generates a certificate on the fly for the site that the client was going to.
The validity date on the PA-generated certificate is taken from the validity date on the
real server certificate
The issuing authority of the PA-generated certificate is the PA device. If the firewalls
certificate is not part of an existing hierarchy or is not added to a clients browser cache,
then the client will receive a warning message when browsing to a secure site.
If the real server certificate has been issued by an authority not trusted by the PA
firewall2, then the decryption certificate will be issued using a second untrusted CA
key. This is to insure that the user will be warned if there are subsequent man-in-themiddle attacks occurring.
SSL decryption can also be performed on inbound traffic in tap mode if the firewall has the real SSL certificate of
the internal server. This document however focuses on inline decryption.
2
The trusted CA certificates on the PA firewall match the trusted CA certificates found in Firefox 3.
PANOS 3.1.0
For inbound inspection, you will need to load the server certificates for any internal
server that you want to decrypt traffic to.
For outbound inspection, you have two choices:
click Generate a self-signed certificate, and then install the certificate in the
browser of all the client machines. By doing this, the users wont get security
warning messages when their traffic is being decrypted.
or
follow the steps below to import a subordinate CA certificate from your
organizations Certificate Authority. (This assumes your organization has already
deployed a PKI infrastructure.)
Note that if you have an HA pair, you can copy certificates from the first device to the
second device via the High Availability widget on the Dashboard of the GUI.
PANOS 3.1.0
5. Import the cert.pem file and keyfile.pem file into the PA firewall on the Device tab ->
Certificates screen.
6. If you have an HA pair, also load these files onto the second PA firewall, or copy the
certificate and key via the High Availability widget on the dashboard.
The certificate loaded on the firewall MUST be of type subordinate CA, as the firewall needs the ability to issue
certificates on the fly for each outbound SSL connection.
4
OpenSSL can be run on Unix operating systems, and can be found as part of the Cygwin package for Windows
systems.
PANOS 3.1.0
Do not decrypt the following URL categories, as users may consider this to be an
invasion of privacy:
o Financial services
o Health-and-medicine
o Shopping
You should implement rules in a phased approach. Start with very specific rules
for decryption, and monitor the typical number of SSL connections being
decrypted by the device (refer to Appendix A for those commands). You want to
make sure you do not exceed the maximum number of concurrent SSL decrypted
sessions that is supported on a device. Over time, you can add additional
decryption rules.
PANOS 3.1.0
Enable this feature if you choose. This page can be exported, edited via an html editor,
and imported to give company-specific information. Here is an example of the default
page:
PANOS 3.1.0
Step 5: Testing
To test outbound decryption:
1. Make sure that on your outbound policy, you are alerting for any viruses found. Also
enable packet capture on that anti-virus security profile. Commit any changes you made.
Click on anti-malware testfile. In the screen that appears, scroll down to the bottom.
3. Download the eicar test virus using http. Any of the 4 files shown here will be detected.
4. Go to the Monitor tab -> Threat log, and look for the log message that detects the eicar
file.
PANOS 3.1.0
5. Click on the green down arrow in the left-hand column. This brings up a view of the
packets that were captured.
Scroll to the bottom, and look for the field SSL Decryption. You will see that the
session was not decrypted:
7. Now that you have proven that your policy will detect viruses in unencrypted traffic, you
will now try detecting the virus in encrypted traffic. Go back to the www.eicar.org
downloads page. This time use SSL to download the test virus.
If you get a certificate error, you can still proceed with downloading the file.
PANOS 3.1.0
8. Examine the Threat logs. The virus should have been detected, since the SSL connection
was decrypted. You will see a log message that shows Eicar was detected in web
browsing on port 443.
You can also view the packet capture by clicking on the green down arrow.
9. To the left of that log entry, click on the magnifying class. Scroll to the bottom, and look
for the field SSL Decrypted. The value should say yes.
PANOS 3.1.0
PANOS 3.1.0
Appendix A
Helpful CLI Commands
To see how many existing SSL decryption sessions are going through the device at this
moment:
debug dataplane pool statistics | match Proxy
Here is output from a PA-2050 where the first command shows 1024 available sessions,
and the output of the second command shows there are 5 SSL sessions being decrypted
(10241019=5):
The following is the maximum number of concurrent SSL decrypted sessions in PANOS
3.1.0 (both directions combined):
o PA500:
1024 sessions
o PA2020:
1024 sessions
o PA2050:
1024 sessions
o PA4020:
7936 sessions
o PA4050:
23,808 sessions
o PA4060:
23,808 sessions
If limit is reached, all new SSL sessions go through as undecrypted SSL. To drop any
new SSL sessions beyond the session limit of the device:
set deviceconfig setting ssl-decrypt deny-setup-failure yes
To check if there are any sessions hitting the limit of the device:
show counter global name proxy_flow_alloc_failure
PANOS 3.1.0
10
PANOS 3.1.0
11