topic Re: SSL Forward Proxy Not Working in Next-Generation Firewall Discussions

SSL Forward Proxy Not Working

GWynn — Tue, 14 Nov 2023 11:10:18 GMT

Hello all, another problem on my road to learning! I have created a self-signed CA Cert on my Palo Alto firewall. Exported to my Windows 10 box, imported into root CA store etc. I have set the cert as a Forward Trust Certificate, created a decryption policy and even added a custom SSL-Decrypt profile/policy. The action is decrypt. I can browse facebook.com but the cert is still signed by DigiCert Inc and not my firewall. Any thoughts? I have a security policy which allows all traffic to Web as I can get to FB etc. Thanks,

Geoff

Re: SSL Forward Proxy Not Working

aleksandar.astardzhiev — Tue, 14 Nov 2023 13:14:43 GMT

Hi @GWynn,

Can you share your decryption rule? How it is configured?

Have you checked if the page you are testing is not listed in Device -> SSL Decryption Exclusions Palo Alto Networks Predefined Decryption Exclusions

Re: SSL Forward Proxy Not Working

GWynn — Tue, 14 Nov 2023 22:20:04 GMT

Morning @aleksandar.astardzhiev Facebook is not on that list but very interesting, thank- you! I am also using generic sites such as www.fast.com.

Here is my policy, thanks!

Re: SSL Forward Proxy Not Working

aleksandar.astardzhiev — Wed, 15 Nov 2023 11:28:22 GMT

Hi @GWynn ,

Is this virtual FW or physical?

Is it lab FW without active licenses?

Re: SSL Forward Proxy Not Working

GWynn — Wed, 15 Nov 2023 20:47:22 GMT

Hello, it is a virtual lab running on VMWorkstation I have active license for a week or so left!

Re: SSL Forward Proxy Not Working

GWynn — Wed, 15 Nov 2023 21:06:03 GMT

Do you need a license for Forward Proxy etc? Looks like the answer is no, I researched then same back to this question!

Re: SSL Forward Proxy Not Working

aleksandar.astardzhiev — Thu, 16 Nov 2023 09:31:28 GMT

Hi @GWynn ,

In general SSL decryption does not require separate subcription license. Howerver I had experiance when working with old PA-3020, where support license had expired and any traffic sent to Content-ID process for inspection was dropped with reason "resource-unavailable".

Your decryption rules find on first look, so it is hard to think your traffic is not matching it.

Have you look at some of these commands - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF2CAK

You may also try to check the global counters for session that should be decrypted but it is not:

1. Set a filter with source IP and destination port 443 - to capture any HTTPS traffic from your test machine

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS

2. Before opening the page run the show counter command with delta to reset the counters:

> show counter global filter packet-filter yes delta yes

3. Open HTTPS page and reproduce the issue with page not being decrypted

4. Run show counters with delta gain and examine the output

> show counter global filter packet-filter yes delta yes

What is the output from the last show counters?

Re: SSL Forward Proxy Not Working

GWynn — Tue, 21 Nov 2023 11:06:10 GMT

Hello @aleksandar.astardzhiev Sorry for late reply. I have figured this out! Super easy and a tad embarrassing! The security rules were not setup properly so it simply was not been checked! Once I put the lan users in the lan zone, viola! it worked as expected. Thanks so much for your help I really appreciate it and those command are great too for future reference.

Regards - Geoff