topic Re: Forward Proxy & SSL Inbound Inspection Certificate Comparasion in Next-Generation Firewall Discussions

Forward Proxy & SSL Inbound Inspection Certificate Comparasion

f.kuecuek — Mon, 02 Dec 2024 13:54:50 GMT

Hello,

1- The CA and Keys checkboxes in the Certificates section of Palo Alto Firewall should always be selected? respectively the certificates used for Forward Proxy and SSL Inbound Inspection should always have CA selected and Keys imported?

2- We use just one self-signed certificate for Forward Trust and Untrust proxy. So we need to import this certificate as Trusted CA in client computer. My question, how client will understand then wenn a website is untrusted ? (the reason of my question is that we are using same self-signed certificate for both options)

Best Regards

Re: Forward Proxy & SSL Inbound Inspection Certificate Comparasion

reaper — Tue, 03 Dec 2024 13:18:37 GMT

1. for outbound proxy, the certificate needs to be CA and have the private key, for inbound inline inspection, you need to have the server certificate associated with the web service running on the server. you only need to have the key, this does not need to be a CA certificate

2. do NOT use the same certificate for trusted and untrusted. the trusted one needs to be imported on the client so it trusts the signing CA certificate. the untrust must not be imported so the user gets a certificate error (it's untrusted because the upstream certificate is untrusted, this needs to be aparent to the user as well as they would else have the false impression this site is safe