https://live.paloaltonetworks.com/t5/general-topics/how-to-protect-an-https-webserver-in-the-dmz-with-vulnerability/m-p/32422#M23757 <HTML><HEAD></HEAD><BODY><P>Hi guys,</P><P></P><P>the vulnerability protection is a really nice feature of the PA.If the PA is able to take a look at the traffic</P><P>this should work fine.</P><P></P><P>But how does it work if the webserver in the dmz only accepts https connections ? So the possible attacker connects with https to the webserver.</P><P>I guess i need to terminate the ssl tunnel at the pa to be able to use the vulnerability protection in this case ?</P><P></P><P>Many thanks,</P><P>Christian </P></BODY></HTML> Thu, 24 May 2012 14:25:22 GMT cfpa 2012-05-24T14:25:22Z https://live.paloaltonetworks.com/t5/general-topics/how-to-protect-an-https-webserver-in-the-dmz-with-vulnerability/m-p/32422#M23757 <HTML><HEAD></HEAD><BODY><P>Hi guys,</P><P></P><P>the vulnerability protection is a really nice feature of the PA.If the PA is able to take a look at the traffic</P><P>this should work fine.</P><P></P><P>But how does it work if the webserver in the dmz only accepts https connections ? So the possible attacker connects with https to the webserver.</P><P>I guess i need to terminate the ssl tunnel at the pa to be able to use the vulnerability protection in this case ?</P><P></P><P>Many thanks,</P><P>Christian </P></BODY></HTML> Thu, 24 May 2012 14:25:22 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-protect-an-https-webserver-in-the-dmz-with-vulnerability/m-p/32422#M23757 cfpa 2012-05-24T14:25:22Z https://live.paloaltonetworks.com/t5/general-topics/how-to-protect-an-https-webserver-in-the-dmz-with-vulnerability/m-p/32423#M23758 <HTML><HEAD></HEAD><BODY><P>Yes, you need to enable SSL termination in your PA device in order to inspect the encrypted https traffic.</P><P></P><P>SSL termination can work in (currently) two modes:</P><P></P><P>SSL-proxy or SSL-intercept (if I remember correctly).</P><P></P><P>SSL-proxy is mostly used when you have a bunch of clients you wish to protect (like against bad things at Internet). The clients will then have the cert the PA will use for termination as a trusted CA and accept that the https is made up by the PA instead of the real server.</P><P></P><P>SSL-proxy will setup one SSL session from PA to destination and one SSL from PA to client.</P><P></P><P>SSL-intercept is mostly used when you have one (or more) servers which you wish to protect against (for example) bad things from Internet. In this case you have the private key of the server and can import this to your PA device.</P><P></P><P>SSL-intercept will then be able to sniff the traffic but the client will have its session directly with the server.</P></BODY></HTML> Thu, 24 May 2012 18:50:34 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-protect-an-https-webserver-in-the-dmz-with-vulnerability/m-p/32423#M23758 mikand 2012-05-24T18:50:34Z https://live.paloaltonetworks.com/t5/general-topics/how-to-protect-an-https-webserver-in-the-dmz-with-vulnerability/m-p/32424#M23759 <HTML><HEAD></HEAD><BODY><P>the name is "SSL Inbound Inspection" <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /> ..many thanks for your hints which directed me in this direction ! </P></BODY></HTML> Fri, 25 May 2012 12:06:13 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-protect-an-https-webserver-in-the-dmz-with-vulnerability/m-p/32424#M23759 cfpa 2012-05-25T12:06:13Z https://live.paloaltonetworks.com/t5/general-topics/how-to-protect-an-https-webserver-in-the-dmz-with-vulnerability/m-p/32425#M23760 <HTML><HEAD></HEAD><BODY><P>I am wanting to do this.&nbsp; So I assume I upload certs and keys for our web servers to the FW.&nbsp; What do you do if there is an intermediate cert for those certs.&nbsp; Do you upload that as well? Thanks.</P></BODY></HTML> Thu, 05 Jul 2012 23:03:42 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-protect-an-https-webserver-in-the-dmz-with-vulnerability/m-p/32425#M23760 cmateam 2012-07-05T23:03:42Z https://live.paloaltonetworks.com/t5/general-topics/how-to-protect-an-https-webserver-in-the-dmz-with-vulnerability/m-p/32426#M23761 <HTML><HEAD></HEAD><BODY><P>I dont think you need to upload the intermediate or CA certs because they are only used to verify the ssl. The PA doesnt verify the ssl when you do ssl inbound inspection - it will just sit there and sniff the ssl traffic and decrypt it using the serverkey.</P></BODY></HTML> Fri, 06 Jul 2012 12:12:05 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-protect-an-https-webserver-in-the-dmz-with-vulnerability/m-p/32426#M23761 mikand 2012-07-06T12:12:05Z