Decryption Policy for Outbound SSL Connection.
Why do we require this policy ?
We do require this policy for acting Palo Alto as a Man In Middle.
Basically if user is connecting to some server on internet through ssh then PA won't be able to decryt the traffic and if some other connection ex facebook chat or malicious application can be tunneled through it.
When you create a Decryption policy rule, the objective is to decrypt traffic so that a Security policy rule can examine it and allow or block it based on policy.
How it works ?
A connection has to be built between PA and user & PA and outside server.
So now here we want to have common certificate which both PA and user trust.
Normally it's CA certificate but for practical purpose we may use PA self-signed certificate and get it trusted by user.
Steps 1 : Generate Self Sign Certificate on PA
Step 2 : Export it and get it added (import) as trusted CA in user's system.
Normally each company has it's customized OS image which is being used to deploy in each user's computer and that image contains Company's CA as trusted so all browser will trust it.
Step 3 : Now create a decrytion policy on PA
Why this is needed ?
There are Govt Regulations in some companies that you can't decrypt Bank or other financials websites.
So either companies has to block that websites or create a decrytion policy to allow that traffic encryted.
How could a user check if traffic is decryted by firewall of his ssl or https session ?
Simple click https on website drop down to certificate and will tell trusted CA (Local CA or Public CA).
Comments