https://live.paloaltonetworks.com/t5/general-topics/deep-packet-inspection-and-ssl-certificate/m-p/1000127#M122753 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1069418869">@N.MANTUA</a></P> <P>&nbsp;</P> <P>yes, this is correct understanding. Once Exchange server administrator renews certificate you will have to export that certificate from server and import it to Firewall to ensure inbound decryption works after server certificate renewal.</P> <P>&nbsp;</P> <P>Here is video tutorial for setup of inbound SSL decryption: <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPGqCAO" target="_self">Video Tutorial: How to Configure SSL Inbound Inspection on the Palo Alto Networks Firewall</A>.&nbsp;</P> <P>&nbsp;</P> <P>After you have certificate imported in Firewall you can easily replace certificate by selecting it from drop down list under: Options &gt; Certificate. Alternatively if you can have certificate in advance you can pre-prepare by cloning existing decryption policy and use new certificate, then you can position the policy below existing one and flip the order after server admin renews certificate.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel&nbsp;&nbsp;</P> Mon, 06 Jan 2025 00:54:55 GMT PavelK 2025-01-06T00:54:55Z https://live.paloaltonetworks.com/t5/general-topics/deep-packet-inspection-and-ssl-certificate/m-p/999620#M122649 <P>Hello, newbie here. One of our clients asked me:&nbsp;</P> <P>&nbsp;</P> <P>"We have an exchange server<SPAN data-teams="true"><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">&nbsp;which is on site.&nbsp; We need to renew the ssl certificate, I was told that if the Palo Alto firewall performs deep packet inspection, we need to supply the ssl certificate to the firewall.</SPAN></SPAN></P> <P>if it is so, we need to coordinate with my local admin to install the ssl certificate on the server and you will need to do your setup on the firewall, we need to plan a meeting..."</P> <P>&nbsp;</P> <P>As I read the SSL Inbound Inspection document, the client is right.</P> <P>&nbsp;</P> <P>May I know the thoughts of those who actually configured a Deep Packet Inspection on their Palo Alto firewall?</P> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 26 Dec 2024 13:33:13 GMT https://live.paloaltonetworks.com/t5/general-topics/deep-packet-inspection-and-ssl-certificate/m-p/999620#M122649 N.MANTUA 2024-12-26T13:33:13Z https://live.paloaltonetworks.com/t5/general-topics/deep-packet-inspection-and-ssl-certificate/m-p/999769#M122665 <P>Hello,</P> <P>I would first check to see if its enabled for that traffic. Go to&nbsp; Policies on the Top menu then Decryption on the Left Menu. Check here to see if inbound inspection is enabled. It would be something like Source Zone Untrust, Destination zone Trust. Could also be listed by IP address or Object name of the Exchange server.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="OtakarKlier_1-1735323479134.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/64965iD56D0778F3174DF4/image-size/medium?v=v2&amp;px=400" role="button" title="OtakarKlier_1-1735323479134.png" alt="OtakarKlier_1-1735323479134.png" /></span></P> <P>&nbsp;</P> <P>Hope this helps.</P> Fri, 27 Dec 2024 18:18:10 GMT https://live.paloaltonetworks.com/t5/general-topics/deep-packet-inspection-and-ssl-certificate/m-p/999769#M122665 OtakarKlier 2024-12-27T18:18:10Z https://live.paloaltonetworks.com/t5/general-topics/deep-packet-inspection-and-ssl-certificate/m-p/1000127#M122753 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1069418869">@N.MANTUA</a></P> <P>&nbsp;</P> <P>yes, this is correct understanding. Once Exchange server administrator renews certificate you will have to export that certificate from server and import it to Firewall to ensure inbound decryption works after server certificate renewal.</P> <P>&nbsp;</P> <P>Here is video tutorial for setup of inbound SSL decryption: <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPGqCAO" target="_self">Video Tutorial: How to Configure SSL Inbound Inspection on the Palo Alto Networks Firewall</A>.&nbsp;</P> <P>&nbsp;</P> <P>After you have certificate imported in Firewall you can easily replace certificate by selecting it from drop down list under: Options &gt; Certificate. Alternatively if you can have certificate in advance you can pre-prepare by cloning existing decryption policy and use new certificate, then you can position the policy below existing one and flip the order after server admin renews certificate.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel&nbsp;&nbsp;</P> Mon, 06 Jan 2025 00:54:55 GMT https://live.paloaltonetworks.com/t5/general-topics/deep-packet-inspection-and-ssl-certificate/m-p/1000127#M122753 PavelK 2025-01-06T00:54:55Z https://live.paloaltonetworks.com/t5/general-topics/deep-packet-inspection-and-ssl-certificate/m-p/1000188#M122761 <P>Thanks a lot!</P> Mon, 06 Jan 2025 17:36:39 GMT https://live.paloaltonetworks.com/t5/general-topics/deep-packet-inspection-and-ssl-certificate/m-p/1000188#M122761 N.MANTUA 2025-01-06T17:36:39Z https://live.paloaltonetworks.com/t5/general-topics/deep-packet-inspection-and-ssl-certificate/m-p/1000189#M122762 <P>Thanks for the advice. That's a good place to check.</P> Mon, 06 Jan 2025 17:40:39 GMT https://live.paloaltonetworks.com/t5/general-topics/deep-packet-inspection-and-ssl-certificate/m-p/1000189#M122762 N.MANTUA 2025-01-06T17:40:39Z