This will tell the firewall to remove the host from the SSL bypass DAG and begin decrypting once again.
For the Pattern, enter our custom command to disable decryption: /kw-nodecrypt/Ĭreate a vulnerability signature which looks for the URI path of ‘/kw-nodecrypt-remove/’.
#Disable dynamic mac address learning plus#
Use the green plus button to Add And Condition (opens a new window).
Add a Standard signature (opens a new window).
For live environments, work with the Incident Response team so they know to ignore this specific alert.
It is recommended to set Severity to informational and Action to Alert.
Assign the Thread ID a custom signature number.
Objects > Custom Objects > Vulnerability > Add We will use the URI path as way to move a host into or out of our DAG.Ĭreate a vulnerability signature which looks for the URI path of ‘/kw-nodecrypt/’. In this example, we will create custom vulnerability signatures that watch for a specific URI paths. The decryption policies should reflect the following:īefore we add the logging conditions, we need a way to trigger the condition. Note: this document assumes there is a certificate on the firewall and client to perform the decryption.
Use Any for source/destination addresses.
Use the do not decrypt DAG as the source address.
Click the Add Match Criteria and select the tag created in the previous step to denote no SSL encryptionĬonfigure the SSL decryption policies to decrypt (hosts outside of DAG) and exclude decryption (hosts inside of DAG).
Create the tag for disabling SSL decrypt.Ĭreate the DAG to be used within the decryption policy. We will begin by creating the tag which will be used by the Dynamic Address Group. However, the use cases are virtually endless. The conditions which may be monitored are vast! In this example we will use DAGs to dynamically move a host into and out of an SSL decryption group for troubleshooting. All without an administrator adding and deploying new rules or committing changes to be pushed out. If conditions change once more for that host, it may be moved to yet another DAG, hitting a different policy altogether. As conditions change for a host, it may be dynamically moved to a DAG, and therefore, be subject to a different policy in the rulebase. The idea is to have pre-set policies configured on the firewall which utilize Dynamic Address Groups. Using DAGs is a powerful way to bring automation to security policies. This document will walk through an automation example using the Palo Alto Networks firewall and Dynamic Address Groups (DAGs).