https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-inspection/m-p/516580#M107278 <P>Hello,</P> <P>&nbsp;</P> <P>Did you try or test for inbound decryption, I suggest you should try.</P> <P>&nbsp;</P> <P>1- import password protected pkcs12 file (sertificate+key) to Firewall</P> <P>Device&gt;Certificate</P> <P>2-Create Certificate decrytpion profile</P> <P>Objects&gt;Decryption&gt;Decryption Profile</P> <P>3-Create related Decryption policy</P> <P>Policy&gt;Decryption&gt;Add</P> <P>Source zone internet zone</P> <P>Source ip any</P> <P>Source user any</P> <P>Destinatination zone (İf Static-NAT rule is bi-directional) inner zone of ip</P> <P>Destinatination ip real ip address which you assingned for static NAT</P> <P>&nbsp;</P> <P>*Before taking this action for testing you config, you can assing your test real internet access ip address as source ip so you can see result without service outage.</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 03 Oct 2022 06:19:03 GMT upelister 2022-10-03T06:19:03Z https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-inspection/m-p/512443#M107020 <P>We want to apply inbound SSL inspection and our certificate from Digitcert and based on this document <BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEZCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEZCA0</A><BR />there is a note says "Because SSL certificate providers such as Entrust, Verisign, Digicert, and GoDaddy do not sell CAs, they are not supported in SSL Decryption." <BR />Now can we apply the inbound SSL inspection and if it's not is there any workaroud</P> Sun, 21 Aug 2022 07:00:48 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-inspection/m-p/512443#M107020 Saleh-Alfurayh 2022-08-21T07:00:48Z https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-inspection/m-p/516580#M107278 <P>Hello,</P> <P>&nbsp;</P> <P>Did you try or test for inbound decryption, I suggest you should try.</P> <P>&nbsp;</P> <P>1- import password protected pkcs12 file (sertificate+key) to Firewall</P> <P>Device&gt;Certificate</P> <P>2-Create Certificate decrytpion profile</P> <P>Objects&gt;Decryption&gt;Decryption Profile</P> <P>3-Create related Decryption policy</P> <P>Policy&gt;Decryption&gt;Add</P> <P>Source zone internet zone</P> <P>Source ip any</P> <P>Source user any</P> <P>Destinatination zone (İf Static-NAT rule is bi-directional) inner zone of ip</P> <P>Destinatination ip real ip address which you assingned for static NAT</P> <P>&nbsp;</P> <P>*Before taking this action for testing you config, you can assing your test real internet access ip address as source ip so you can see result without service outage.</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 03 Oct 2022 06:19:03 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-inspection/m-p/516580#M107278 upelister 2022-10-03T06:19:03Z https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-inspection/m-p/538217#M110521 <P>Hi,</P> <P>&nbsp;</P> <P>i have already tried this. i've managed to get SSL inspection working with a test server. i followed the same setup for our production environment but it doesn't work. It's not an issue with the certificates or keys, as i've tried them on the test server and they worked fine.</P> <P>&nbsp;</P> <P>Upon further checking, i noticed that the client doesn't get a "Server Hello" back from the server, which may explain why the connection attempt seems to just hang.</P> <P>&nbsp;</P> <P>There are no reported errors in the Decryption log, and there's no traffic logged between the two after it's been decrypted. Am pretty sure my security policies are OK -- everything works every time i disable the decryption policy.</P> <P>Any suggestions on what to check? Are there any specific settings needed on the web server(IIS)? Thanks</P> <P>&nbsp;</P> Tue, 11 Apr 2023 08:58:24 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-inspection/m-p/538217#M110521 itassetbenilde 2023-04-11T08:58:24Z