https://live.paloaltonetworks.com/t5/next-generation-firewall/ssl-forward-proxy-problems/m-p/564414#M2051 <P>Hello.</P> <P>I'm seeking some guidance from those who have configured this, and have it working.</P> <P>I'm trying to configure the SSL forward proxy feature, to decrypt web traffic.</P> <P>I can get this working no problems using a self signed certificate, but this is problematic for devices such as phones and tablets.&nbsp; I can certainly push the certificate to computers using group policy, but need to support visiting people with BYODs and also portable devices.</P> <P>I have purchased a certificate, from a public CA.</P> <P>However, when installing said certificate on the firewall, it sees it as "trusted" and says it's ok, but the option to use it as the forward trust certificate is greyed out. <BR />I've had a tac case and even tac don't seem to know why.</P> <P>They have suggested I make a combined certificate which includes the intermediate certificates from the CA, which I have done, and it made no difference.</P> <P>TAC can't seem to work out how to make this feature work, and neither can I. <BR />Is there anyone using a public CA signed certificate for this purpose? How did you make it work? <BR />TAC have assured me that the version of PanOS I am using does not have a bug, and it should just work.</P> <P>Please help.&nbsp; Thankyou in advance.</P> Sun, 05 Nov 2023 10:54:47 GMT JDavis36 2023-11-05T10:54:47Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ssl-forward-proxy-problems/m-p/564414#M2051 <P>Hello.</P> <P>I'm seeking some guidance from those who have configured this, and have it working.</P> <P>I'm trying to configure the SSL forward proxy feature, to decrypt web traffic.</P> <P>I can get this working no problems using a self signed certificate, but this is problematic for devices such as phones and tablets.&nbsp; I can certainly push the certificate to computers using group policy, but need to support visiting people with BYODs and also portable devices.</P> <P>I have purchased a certificate, from a public CA.</P> <P>However, when installing said certificate on the firewall, it sees it as "trusted" and says it's ok, but the option to use it as the forward trust certificate is greyed out. <BR />I've had a tac case and even tac don't seem to know why.</P> <P>They have suggested I make a combined certificate which includes the intermediate certificates from the CA, which I have done, and it made no difference.</P> <P>TAC can't seem to work out how to make this feature work, and neither can I. <BR />Is there anyone using a public CA signed certificate for this purpose? How did you make it work? <BR />TAC have assured me that the version of PanOS I am using does not have a bug, and it should just work.</P> <P>Please help.&nbsp; Thankyou in advance.</P> Sun, 05 Nov 2023 10:54:47 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ssl-forward-proxy-problems/m-p/564414#M2051 JDavis36 2023-11-05T10:54:47Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ssl-forward-proxy-problems/m-p/564417#M2052 <P>For SSL decrypt/encrypt you need a CA (certificate authority), a certificate does not suffice.</P> <P>With this CA the firewall signs a new certificate which has almost all parameters copied from the "original" web site certificate.</P> Sun, 05 Nov 2023 17:35:15 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ssl-forward-proxy-problems/m-p/564417#M2052 joergsch1 2023-11-05T17:35:15Z