How to Implement SSL Decryption

PANOS has the ability to decrypt and inspect SSL connections going through the firewall. Both
inbound and outbound SSL connections can be decrypted and inspected. SSL decryption can
occur on interfaces in virtual wire or Layer 3 mode1. The SSL rulebase is used to configure
which traffic to decryptin particular, decryption can be based upon URL categories, as well as
source user, and source/target addresses.
Once traffic is decrypted, tunneled applications can be detected and controlled, and the decrypted
data can be inspected for threats/URL filtering/file blocking/data filtering. Note that decrypted
traffic is never sent off of the device.

Overview of operation
Inbound SSL decryption
In this case, the administrator imports a copy of the protected servers certificate and key.
Once the SSL server certificate is loaded on the firewall, and a SSL decryption policy is
configured for the inbound traffic, the device will be able to decrypt and read the traffic
as it forwards it on. No changes will be made to the packet data, and the secure channel
will be built from the client system to the internal server. The firewall will be able to
detect malicious content and control applications running over this secure channel.
Outbound SSL decryption (called SSL forward proxy)
In this case, the firewall proxies the outbound connections. It intercepts the outbound
requests, and generates a certificate on the fly for the site that the client was going to.
The validity date on the PA-generated certificate is taken from the validity date on the
real server certificate
The issuing authority of the PA-generated certificate is the PA device. If the firewalls
certificate is not part of an existing hierarchy or is not added to a clients browser cache,
then the client will receive a warning message when browsing to a secure site.
If the real server certificate has been issued by an authority not trusted by the PA
firewall2, then the decryption certificate will be issued using a second untrusted CA
key. This is to insure that the user will be warned if there are subsequent man-in-themiddle attacks occurring.

SSL decryption can also be performed on inbound traffic in tap mode if the firewall has the real SSL certificate of
the internal server. This document however focuses on inline decryption.
2
The trusted CA certificates on the PA firewall match the trusted CA certificates found in Firefox 3.

PANOS 3.1.0

Overview of Configuration Steps

Here are the steps to configuring SSL decryption:
1. Configure appropriate interfaces into either virtual wire or Layer 3, and insert the device
inline in the network.
2. Install the proper certificates on the firewall.
3. Configure SSL decryption rules.
4. Enable SSL decryption notification page (optional)
5. Commit your changes, and test decryption.
Step 1 above is not discussed in this document. Steps 2-5 are described below.

Step 2: Loading a certificate on the PA device

In the firewall GUI, go to Device tab -> Certificates screen. You will load or generate a
certificate for either inbound inspection, or for outbound (forward proxy) inspection.

For inbound inspection, you will need to load the server certificates for any internal
server that you want to decrypt traffic to.
For outbound inspection, you have two choices:
click Generate a self-signed certificate, and then install the certificate in the
browser of all the client machines. By doing this, the users wont get security
warning messages when their traffic is being decrypted.
or
follow the steps below to import a subordinate CA certificate from your
organizations Certificate Authority. (This assumes your organization has already
deployed a PKI infrastructure.)
Note that if you have an HA pair, you can copy certificates from the first device to the
second device via the High Availability widget on the Dashboard of the GUI.

PANOS 3.1.0

Steps to generate and import a certificate from Microsoft Certificate Server

1. On the Microsoft Certificate Server for your organization, request an advanced certificate
using certificate template subordinate CA3. Download the cert.
2. Once the certificate is downloaded, it will need to be exported from the local certificate
store. In IE7, this is accomplished by accessing the Internet Options dialog, selecting the
Content tab and pressing the Certificates button. The new certificate should be in the
Personal certificate store and can then be exported from there. The export button will
invoke the Certificate Export Wizard. Select to export the private key and then select
the format. You will be prompted to supply a passphrase and a file name/ location for the
resulting file. The certificate will be in a PFX format (PKCS #12).
3. To extract the certificate, use this openSSL4 command:
openssl pkcs12 in pfxfilename.pfx out cert.pem nokeys
4. To extract the key, use this openSSL command:
openssl pkcs12 in pfxfilename.pfx out keyfile.pem -nocerts

5. Import the cert.pem file and keyfile.pem file into the PA firewall on the Device tab ->
Certificates screen.
6. If you have an HA pair, also load these files onto the second PA firewall, or copy the
certificate and key via the High Availability widget on the dashboard.

The certificate loaded on the firewall MUST be of type subordinate CA, as the firewall needs the ability to issue
certificates on the fly for each outbound SSL connection.
4
OpenSSL can be run on Unix operating systems, and can be found as part of the Cygwin package for Windows
systems.

PANOS 3.1.0

Step 3: Configure SSL decryption rules

Here are some suggestions for configuring SSL decryption rules:

Do not decrypt known-good SSL connections, such as connections between

internal users and internal servers.

Do not decrypt the following URL categories, as users may consider this to be an
invasion of privacy:
o Financial services
o Health-and-medicine
o Shopping

Do not decrypt URL category unknown, as it includes many non-HTTP

applications, some of which will not correctly SSL decrypt.

Do not decrypt URL category computer-and-internet info, as it includes the

Windows Update service, which requires specific server certificates from
Microsoft. (As an alternative, you can create a rule that does not decrypt traffic to
the IP addresses of the Microsoft Update servers.)

Do not decrypt applications where the server requires client-side certificates.

Be precise in your source and target zonesdo not use any

You should implement rules in a phased approach. Start with very specific rules
for decryption, and monitor the typical number of SSL connections being
decrypted by the device (refer to Appendix A for those commands). You want to
make sure you do not exceed the maximum number of concurrent SSL decrypted
sessions that is supported on a device. Over time, you can add additional
decryption rules.

Here is an example outbound rulebase that follows the above suggestions:

PANOS 3.1.0

Step 4: Enable SSL decryption notification web page (optional)

1. The user can be notified that their SSL connection is going to be decrypted using the
response page found on the Device tab -> Response Pages screen.

Enable this feature if you choose. This page can be exported, edited via an html editor,
and imported to give company-specific information. Here is an example of the default
page:

PANOS 3.1.0

Step 5: Testing
To test outbound decryption:
1. Make sure that on your outbound policy, you are alerting for any viruses found. Also
enable packet capture on that anti-virus security profile. Commit any changes you made.

2. On a PC internal to the firewall, go to www.eicar.org. In the top-right hand corner, you

will see:

Click on anti-malware testfile. In the screen that appears, scroll down to the bottom.

3. Download the eicar test virus using http. Any of the 4 files shown here will be detected.

4. Go to the Monitor tab -> Threat log, and look for the log message that detects the eicar
file.

PANOS 3.1.0

5. Click on the green down arrow in the left-hand column. This brings up a view of the
packets that were captured.

6. Also click on the magnifying class in the far left column.

Scroll to the bottom, and look for the field SSL Decryption. You will see that the
session was not decrypted:

7. Now that you have proven that your policy will detect viruses in unencrypted traffic, you
will now try detecting the virus in encrypted traffic. Go back to the www.eicar.org
downloads page. This time use SSL to download the test virus.

If you get a certificate error, you can still proceed with downloading the file.

PANOS 3.1.0

8. Examine the Threat logs. The virus should have been detected, since the SSL connection
was decrypted. You will see a log message that shows Eicar was detected in web
browsing on port 443.

You can also view the packet capture by clicking on the green down arrow.

9. To the left of that log entry, click on the magnifying class. Scroll to the bottom, and look
for the field SSL Decrypted. The value should say yes.

Therefore, the virus was successfully detected in an SSL-encrypted session.

10. To test the no-decrypt rule, first determine what URLs fall into the financial services,
shopping, or health and medicine categories. Go to
http://www.brightcloud.com/testasite.aspx and enter various URLs that you believe fall
into those categories.
11. Once you have found some web sites that are classified into categories that will NOT be
decrypted, use a browser to go to those sites using https. You should not see a certificate
error when you go to those sites. The web pages will be displayed properly. If you look
at the traffic logs, the sessions will show application SSL going over port 443, as
expected.

PANOS 3.1.0

To test inbound decryption:

1. Examine the traffic logs that are dated PRIOR to when you enabled SSL inbound
decryption on the firewall. Look at traffic targeted towards your internal servers. In
those logs, the application detected should be ssl, going over port 443.
2. From a machine outside of your network, connect via SSL to a server in your DMZ.
There will be no certificate errors, as the connection is not being proxied, just
inspected.
3. Examine the logs for this inbound connection. The applications will not be ssl, but
the actual applications found inside the SSL tunnel. You can click on the magnifying
glass icon in those log enties to confirm that the connections were decrypted.

PANOS 3.1.0

Appendix A
Helpful CLI Commands

To see how many existing SSL decryption sessions are going through the device at this
moment:
debug dataplane pool statistics | match Proxy
Here is output from a PA-2050 where the first command shows 1024 available sessions,
and the output of the second command shows there are 5 SSL sessions being decrypted
(10241019=5):

The following is the maximum number of concurrent SSL decrypted sessions in PANOS
3.1.0 (both directions combined):
o PA500:
1024 sessions
o PA2020:
1024 sessions
o PA2050:
1024 sessions
o PA4020:
7936 sessions
o PA4050:
23,808 sessions
o PA4060:
23,808 sessions
If limit is reached, all new SSL sessions go through as undecrypted SSL. To drop any
new SSL sessions beyond the session limit of the device:
set deviceconfig setting ssl-decrypt deny-setup-failure yes

To check if there are any sessions hitting the limit of the device:
show counter global name proxy_flow_alloc_failure

PANOS 3.1.0

10

To view the SSL decryption certificate:

To view SSL decryption settings:

PANOS 3.1.0

11