https://live.paloaltonetworks.com/t5/advanced-threat-prevention/how-does-a-pa-know-which-forward-trust-certiticate-to-use-for-a/m-p/421108#M1245 <P>The decryption certificate is global, you cannot choose one per decryption profile. Whatever certificate you mark for Forward Trust, will be used for SSL Forward Proxy when the firewall verifies that the root CA that signed the server certificate is in the Trusted Root CA list, or present as Trusted Root CA in the certificate store. If the firewall cannot find it, it will instead use the certificate marked as Forward Untrust Certificate.</P> <P>&nbsp;</P> <P>By the way, it is a BAD IDEA to mark both Forward Trust and Forward Untrust in the same certificate, because you will push this certificate to workstations as a certificate that your devices should trust. That means that if the firewall finds a server certificate that is not trusted, it will present the device with a certificate it trusts, and therefore make it seem to the end user that anything out in the internet is trusted, even when they browse to websites or use applications that present with invalid SSL certificates.</P> Wed, 21 Jul 2021 16:59:43 GMT mivaldi 2021-07-21T16:59:43Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/how-does-a-pa-know-which-forward-trust-certiticate-to-use-for-a/m-p/420347#M1239 <P>Hello,</P><P>&nbsp;</P><P>I have a&nbsp; Palo Alto 8.1.18 firewall that is already configured with a SSL Forward Proxy setup for a a current set of traffic.&nbsp; There is only one signed certificate that is configured as the Forwarding Trust and Forwarding Untrust certificate (odd I know), let's call it cert X.</P><P>&nbsp;</P><P>I have a new set of traffic that requires SSL Forward Proxy treatment.&nbsp; Does the PA only allow the use of one Forward Trust/Untrust Certificate or can multiple certs be used?&nbsp; if so how does the PA know which certificate to call upon as I see no reference to a cert in the decryption profile, so does it cycle through say cert x, cert y and cert z until one matches?</P><P>&nbsp;</P><P>Struggling to find anything useful on the PA site, so advice is greatly appreciated.</P><P>&nbsp;</P><P>Regards</P> Mon, 19 Jul 2021 14:46:56 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/how-does-a-pa-know-which-forward-trust-certiticate-to-use-for-a/m-p/420347#M1239 GrantCampbell4 2021-07-19T14:46:56Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/how-does-a-pa-know-which-forward-trust-certiticate-to-use-for-a/m-p/421108#M1245 <P>The decryption certificate is global, you cannot choose one per decryption profile. Whatever certificate you mark for Forward Trust, will be used for SSL Forward Proxy when the firewall verifies that the root CA that signed the server certificate is in the Trusted Root CA list, or present as Trusted Root CA in the certificate store. If the firewall cannot find it, it will instead use the certificate marked as Forward Untrust Certificate.</P> <P>&nbsp;</P> <P>By the way, it is a BAD IDEA to mark both Forward Trust and Forward Untrust in the same certificate, because you will push this certificate to workstations as a certificate that your devices should trust. That means that if the firewall finds a server certificate that is not trusted, it will present the device with a certificate it trusts, and therefore make it seem to the end user that anything out in the internet is trusted, even when they browse to websites or use applications that present with invalid SSL certificates.</P> Wed, 21 Jul 2021 16:59:43 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/how-does-a-pa-know-which-forward-trust-certiticate-to-use-for-a/m-p/421108#M1245 mivaldi 2021-07-21T16:59:43Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/how-does-a-pa-know-which-forward-trust-certiticate-to-use-for-a/m-p/421222#M1248 <P>Mivaldi,</P><P>&nbsp;</P><P>That's great feedback, thank you.&nbsp; That was my suspicion too but little PA clarity on their documentation.</P><P>&nbsp;</P><P>I agree a single cert for both i not best practice, but we have inherited this as is.&nbsp; Look forward to putting it all right.</P><P>&nbsp;</P><P>Regards</P> Thu, 22 Jul 2021 07:42:53 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/how-does-a-pa-know-which-forward-trust-certiticate-to-use-for-a/m-p/421222#M1248 GrantCampbell4 2021-07-22T07:42:53Z