https://live.paloaltonetworks.com/t5/next-generation-firewall/what-problems-or-vulnerabilities-does-this-present/m-p/531616#M920 <P><STRONG>IMPORTANT NOTE</STRONG><SPAN>: Never set both checkboxes "Forward Trust Certificate" and "Forward Untrust Certificate" in the same certificate, and do not have the "Forward Untrust Certificate" deployed under a trusted certificate chain. If you do this, it&nbsp;will cause the firewall to present client devices with a CA certificate they trust, even when they&nbsp;connect&nbsp;to&nbsp;websites or applications&nbsp;that are presenting with invalid certificates to the firewall.</SPAN></P> <P>&nbsp;</P> <P><SPAN>My SSL inspection&nbsp; cert is selected forward trust, forward untrust, and trusted root CA...</SPAN></P> <P>&nbsp;</P> <P><SPAN>I am using an MS CA setup. </SPAN></P> Fri, 17 Feb 2023 20:40:56 GMT Stevenjw0728 2023-02-17T20:40:56Z https://live.paloaltonetworks.com/t5/next-generation-firewall/what-problems-or-vulnerabilities-does-this-present/m-p/531616#M920 <P><STRONG>IMPORTANT NOTE</STRONG><SPAN>: Never set both checkboxes "Forward Trust Certificate" and "Forward Untrust Certificate" in the same certificate, and do not have the "Forward Untrust Certificate" deployed under a trusted certificate chain. If you do this, it&nbsp;will cause the firewall to present client devices with a CA certificate they trust, even when they&nbsp;connect&nbsp;to&nbsp;websites or applications&nbsp;that are presenting with invalid certificates to the firewall.</SPAN></P> <P>&nbsp;</P> <P><SPAN>My SSL inspection&nbsp; cert is selected forward trust, forward untrust, and trusted root CA...</SPAN></P> <P>&nbsp;</P> <P><SPAN>I am using an MS CA setup. </SPAN></P> Fri, 17 Feb 2023 20:40:56 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/what-problems-or-vulnerabilities-does-this-present/m-p/531616#M920 Stevenjw0728 2023-02-17T20:40:56Z https://live.paloaltonetworks.com/t5/next-generation-firewall/what-problems-or-vulnerabilities-does-this-present/m-p/531635#M921 <P>This is all really about preserving the untrusted state of an invalid internet certificate when you have SSL decryption in the PA and passed that connection to an internal client.</P> <P>&nbsp;</P> <P>When you decrypt a public site with a valid SSL certificate on the PA, you intercept the SSL connection, decrypt the data, and then re-sign the connection to the internal client with your own internally trusted certificate (either a self-signed certificate, or an internal CA-signed certificate, that you have distributed to your clients). The client sees the HTTPS connection as secure because the connection is signed by a certificate it trusts (the PA). This is the "Forward Trust Certificate" setting.</P> <P>&nbsp;</P> <P>However, when your client is connecting to an internet site that has an invalid certificate for whatever reason (is invalid for the host, fraudulent, self-signed, etc.), you want to preserve that invalid state so the client browser warns the end user. If you were to SSL decrypt and re-sign the connection with your trusted PA certificate, then the client will trust the public site even though it has an untrusted internet certificate. Therefore, you want to create a second untrusted certificate on the PA (which is not internally signed or distributed to the clients) and use that certificate to re-sign the untrusted internet connections - associated to the "Forward Untrust Certificate". That way the client sees an untrusted certificate in the connection and warns the end user.</P> Sat, 18 Feb 2023 00:13:41 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/what-problems-or-vulnerabilities-does-this-present/m-p/531635#M921 Adrian_Jensen 2023-02-18T00:13:41Z