https://live.paloaltonetworks.com/t5/prisma-access-discussions/please-tell-me-about-client-to-firewall-and-firewall-to-client/m-p/1233020#M1177 <P><SPAN>Attention: JAPAC TPM team</SPAN><BR /><SPAN>Hello Team,</SPAN></P> <P>&nbsp;</P> <P>Please tell me about Client to Firewall and Firewall to Client in the StrataCloudManager Firewall/Decryption log.</P> <P>My understanding of Client to Firewall and Firewall to Client is as follows.<BR />-Client to Firewall: TLS handshake information sent by the client (Client Hello, etc.)<BR />-Firewall to Client: TLS information responded by PrismaAccess (Server Hello, certificate, etc.)</P> <P>However, when I checked the log, the following was displayed.<BR />-Client to Firewall: Server_Hello<BR />-Firewall to Client: Client_Hello</P> <P>I think this is because PrismaAccess is acting as a proxy between the client and the server, but is this understanding correct?</P> <P>I would appreciate your advice.</P> Wed, 02 Jul 2025 09:08:09 GMT y.saitou 2025-07-02T09:08:09Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/please-tell-me-about-client-to-firewall-and-firewall-to-client/m-p/1233020#M1177 <P><SPAN>Attention: JAPAC TPM team</SPAN><BR /><SPAN>Hello Team,</SPAN></P> <P>&nbsp;</P> <P>Please tell me about Client to Firewall and Firewall to Client in the StrataCloudManager Firewall/Decryption log.</P> <P>My understanding of Client to Firewall and Firewall to Client is as follows.<BR />-Client to Firewall: TLS handshake information sent by the client (Client Hello, etc.)<BR />-Firewall to Client: TLS information responded by PrismaAccess (Server Hello, certificate, etc.)</P> <P>However, when I checked the log, the following was displayed.<BR />-Client to Firewall: Server_Hello<BR />-Firewall to Client: Client_Hello</P> <P>I think this is because PrismaAccess is acting as a proxy between the client and the server, but is this understanding correct?</P> <P>I would appreciate your advice.</P> Wed, 02 Jul 2025 09:08:09 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/please-tell-me-about-client-to-firewall-and-firewall-to-client/m-p/1233020#M1177 y.saitou 2025-07-02T09:08:09Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/please-tell-me-about-client-to-firewall-and-firewall-to-client/m-p/1233369#M1182 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/72491813">@y.saitou</a>&nbsp;, to answer your question,&nbsp; In Strata Cloud Manager's Firewall/Decryption logs, the labels Client to Firewall and Firewall to Client refer to the direction of traffic as seen by the firewall, not necessarily the original source or destination of the TLS messages. When SSL Forward Proxy is enabled (which is common in Prisma Access deployments), the firewall intercepts and decrypts outbound SSL traffic by acting as a man-in-the-middle proxy. Here's how that affects the TLS handshake: (Check the attached table)</P> <P>&nbsp;</P> <P><STRONG>So Why the Log Shows It Reversed</STRONG><BR /><STRONG>Client to Firewall:</STRONG> Server_Hello This is actually the Server Hello from the external server, received by the firewall after it initiated a second TLS handshake with the real destination.</P> <P><STRONG>Firewall to Client:</STRONG> Client_Hello This is the Client Hello initiated by the firewall toward the external server, acting as a client.</P> <P>So yes, your understanding is correct. The firewall is proxying both sides of the handshake, and the logs reflect the firewall’s perspective of each leg of the TLS session.</P> <P>I hope you find this helpful.</P> Sat, 05 Jul 2025 15:10:53 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/please-tell-me-about-client-to-firewall-and-firewall-to-client/m-p/1233369#M1182 Vickynet 2025-07-05T15:10:53Z