Decryption Profiles#
Decryption profiles define settings for SSL decryption, such as which SSL/TLS versions and cipher suites to support.
File Location#
Decryption profiles are defined in JSON or YAML files located in:
ngfw/objects/decryption/decryption profile
This path is defined in the settings.py module as DECRYPTION_PROFILES_FOLDER.
File Format#
Decryption profiles can be defined in either JSON or YAML format. Each file represents a single decryption profile with settings for SSL/TLS protocols, cipher suites, and proxy behavior.
JSON Example#
{
"entry": {
"@name": "DP-default",
"ssl-forward-proxy": {
"block-expired-certificate": "yes",
"block-untrusted-issuer": "yes",
"block-unknown-cert": "no",
"block-timeout-cert": "no",
"restrict-cert-exts": "no",
"auto-include-altname": "no",
"block-unsupported-version": "no",
"block-unsupported-cipher": "no",
"block-client-cert": "no",
"block-if-no-resource": "no",
"block-tls13-downgrade-no-resource": "no",
"strip-alpn": "no"
},
"ssl-inbound-proxy": {
"block-unsupported-version": "no",
"block-unsupported-cipher": "no",
"block-if-no-resource": "no",
"block-tls13-downgrade-no-resource": "no"
},
"ssl-protocol-settings": {
"enc-algo-chacha20-poly1305": "yes",
"auth-algo-md5": "no",
"min-version": "tls1-0",
"max-version": "max",
"keyxchg-algo-rsa": "yes",
"keyxchg-algo-dhe": "yes",
"keyxchg-algo-ecdhe": "yes",
"enc-algo-3des": "yes",
"enc-algo-rc4": "yes",
"enc-algo-aes-128-cbc": "yes",
"enc-algo-aes-256-cbc": "yes",
"enc-algo-aes-128-gcm": "yes",
"enc-algo-aes-256-gcm": "yes",
"auth-algo-sha1": "yes",
"auth-algo-sha256": "yes",
"auth-algo-sha384": "yes"
},
"ssl-no-proxy": {
"block-expired-certificate": "no",
"block-untrusted-issuer": "no"
},
"ssh-proxy": {
"block-unsupported-version": "no",
"block-unsupported-alg": "no",
"block-ssh-errors": "no",
"block-if-no-resource": "no"
}
}
}
YAML Example#
entry:
"@name": "DP-default"
ssl-forward-proxy:
block-expired-certificate: "yes"
block-untrusted-issuer: "yes"
block-unknown-cert: "no"
block-timeout-cert: "no"
restrict-cert-exts: "no"
auto-include-altname: "no"
block-unsupported-version: "no"
block-unsupported-cipher: "no"
block-client-cert: "no"
block-if-no-resource: "no"
block-tls13-downgrade-no-resource: "no"
strip-alpn: "no"
ssl-inbound-proxy:
block-unsupported-version: "no"
block-unsupported-cipher: "no"
block-if-no-resource: "no"
block-tls13-downgrade-no-resource: "no"
ssl-protocol-settings:
enc-algo-chacha20-poly1305: "yes"
auth-algo-md5: "no"
min-version: "tls1-0"
max-version: "max"
keyxchg-algo-rsa: "yes"
keyxchg-algo-dhe: "yes"
keyxchg-algo-ecdhe: "yes"
enc-algo-3des: "yes"
enc-algo-rc4: "yes"
enc-algo-aes-128-cbc: "yes"
enc-algo-aes-256-cbc: "yes"
enc-algo-aes-128-gcm: "yes"
enc-algo-aes-256-gcm: "yes"
auth-algo-sha1: "yes"
auth-algo-sha256: "yes"
auth-algo-sha384: "yes"
ssl-no-proxy:
block-expired-certificate: "no"
block-untrusted-issuer: "no"
ssh-proxy:
block-unsupported-version: "no"
block-unsupported-alg: "no"
block-ssh-errors: "no"
block-if-no-resource: "no"
Configuration Options#
Decryption profiles support the following configuration options:
SSL Forward Proxy Settings#
Settings for SSL forward proxy (client to server) decryption:
block-expired-certificate: Block connections with expired certificates
block-untrusted-issuer: Block connections with untrusted issuers
block-unknown-cert: Block connections with unknown certificates
block-timeout-cert: Block connections with timed-out certificates
restrict-cert-exts: Restrict certificate extensions
auto-include-altname: Automatically include alternative names
block-unsupported-version: Block unsupported SSL/TLS versions
block-unsupported-cipher: Block unsupported cipher suites
block-client-cert: Block client certificates
block-if-no-resource: Block if no resources are available
block-tls13-downgrade-no-resource: Block TLS 1.3 downgrade if no resources are available
strip-alpn: Strip Application-Layer Protocol Negotiation (ALPN) extension
SSL Inbound Proxy Settings#
Settings for SSL inbound proxy (server to client) decryption:
block-unsupported-version: Block unsupported SSL/TLS versions
block-unsupported-cipher: Block unsupported cipher suites
block-if-no-resource: Block if no resources are available
block-tls13-downgrade-no-resource: Block TLS 1.3 downgrade if no resources are available
SSL Protocol Settings#
Settings for SSL/TLS protocol versions and algorithms:
min-version: Minimum SSL/TLS version (ssl-3-0, tls1-0, tls1-1, tls1-2, tls1-3)
max-version: Maximum SSL/TLS version (ssl-3-0, tls1-0, tls1-1, tls1-2, tls1-3, max)
enc-algo-*: Encryption algorithms (3des, rc4, aes-128-cbc, aes-256-cbc, aes-128-gcm, aes-256-gcm, chacha20-poly1305)
auth-algo-*: Authentication algorithms (md5, sha1, sha256, sha384)
keyxchg-algo-*: Key exchange algorithms (rsa, dhe, ecdhe)
SSL No Proxy Settings#
Settings for SSL traffic that is not decrypted:
block-expired-certificate: Block connections with expired certificates
block-untrusted-issuer: Block connections with untrusted issuers
SSH Proxy Settings#
Settings for SSH proxy:
block-unsupported-version: Block unsupported SSH versions
block-unsupported-alg: Block unsupported algorithms
block-ssh-errors: Block SSH errors
block-if-no-resource: Block if no resources are available
Implementation Details#
Decryption profiles are processed by the create_non_sdk_objects function in the auxiliary_functions.py module. This function:
Parses the JSON or YAML files for decryption profiles using
parse_metadata_from_jsonorparse_metadata_from_yamlConstructs XML elements for each profile definition
Deploys the decryption profiles to the PAN-OS device using multi-config API calls
The same algorithm is used for all security profile types, providing a consistent approach to profile management across the system.