https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/ssl-decryption-inbound-inspection/m-p/402693#M1178 <P>Yes, you can decrypt on the ALB to perform any URI-based policy or insert the XFF.&nbsp; You can choose to keep the traffic decrypted behind the ALB and the firewall will see the clear text traffic or reencrypt on the ALB and use inbound SSL decryption.&nbsp; Typically you would use the same cert for the ALB, backend, and firewall.&nbsp; At the time of this posting, the ALB does not care about mismatched certs so you could actually use a self-signed cert on the firewall.</P> Wed, 28 Apr 2021 12:28:43 GMT jmeurer 2021-04-28T12:28:43Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/ssl-decryption-inbound-inspection/m-p/402643#M1176 <P>On AWS we have deployed Application Load balancer after firewall. Can we configure ssl inbound inspection in this case?</P><P>Will it work properly, whic certificate we have to import on firewall, server certificate or ALB certificate?</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 28 Apr 2021 10:29:18 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/ssl-decryption-inbound-inspection/m-p/402643#M1176 omprasadax 2021-04-28T10:29:18Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/ssl-decryption-inbound-inspection/m-p/402693#M1178 <P>Yes, you can decrypt on the ALB to perform any URI-based policy or insert the XFF.&nbsp; You can choose to keep the traffic decrypted behind the ALB and the firewall will see the clear text traffic or reencrypt on the ALB and use inbound SSL decryption.&nbsp; Typically you would use the same cert for the ALB, backend, and firewall.&nbsp; At the time of this posting, the ALB does not care about mismatched certs so you could actually use a self-signed cert on the firewall.</P> Wed, 28 Apr 2021 12:28:43 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/ssl-decryption-inbound-inspection/m-p/402693#M1178 jmeurer 2021-04-28T12:28:43Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/ssl-decryption-inbound-inspection/m-p/403704#M1179 <P>In SSL inbound inspection , will self signed certificate work or we would require server certificate?</P><P>&nbsp;</P> Thu, 29 Apr 2021 04:37:44 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/ssl-decryption-inbound-inspection/m-p/403704#M1179 omprasadax 2021-04-29T04:37:44Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/ssl-decryption-inbound-inspection/m-p/403957#M1182 <P><SPAN>At the time of this posting, the ALB does not care about mismatched certs so you could actually use a self-signed cert on the firewall.</SPAN></P> Thu, 29 Apr 2021 13:49:23 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/ssl-decryption-inbound-inspection/m-p/403957#M1182 jmeurer 2021-04-29T13:49:23Z