https://live.paloaltonetworks.com/t5/general-topics/decryption-policy-issue/m-p/608#M468 <HTML><HEAD></HEAD><BODY><P>This is because you did not configure the certifiate for decryption</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-6051">Difference Between SSL Forward-Proxy and Inbound Inspection Decryption Mode</A></P></BODY></HTML> Sun, 09 Feb 2014 11:22:58 GMT Retired Member 2014-02-09T11:22:58Z https://live.paloaltonetworks.com/t5/general-topics/decryption-policy-issue/m-p/607#M467 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P>I'm just trying to configure decryption. because I'm facing Issue while blocking applications(not all the applications got blocked as the policy supposed to do).</P><P>First of all, I'm using Trusted CA, and here you are the steps I followed To generate MY certificate.</P><P>1.</P><P><IMG alt="" class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/11476_pastedImage_0.png" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P>2. then I uploaded that Certificate to the Trusted CA, and then I got a signed Certificate.</P><P><IMG alt="" class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/11483_pastedImage_1.png" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P><IMG alt="" class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/11484_pastedImage_2.png" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P>3. I configured a Decryption Profile as below.</P><P><IMG alt="" class="jiveImage" src="https://live.paloaltonetworks.com/" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P>4. then I created the decryption policies as below</P><P><IMG alt="" class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/11487_pastedImage_5.png" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P>but finally while I'm trying to commit the Configuration I got the error&nbsp; <SPAN class="commit_details"> <SPAN style="color: #ff0000;">vsys1 decryption: forward decrypt trust cert is not configured</SPAN></SPAN></P><P><SPAN style="color: #ff0000;"><BR /></SPAN></P><P><SPAN style="color: #000000;">I don't know what's wrong with that, also does my configuration is correct, or I'm going the wrong direction.</SPAN></P><P><SPAN style="color: #ff0000;"><BR /></SPAN></P><P>Regards,</P><P>Maher</P><P><SPAN class="commit_details"><BR /></SPAN></P></BODY></HTML> Sun, 09 Feb 2014 10:51:21 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-policy-issue/m-p/607#M467 homicidedart 2014-02-09T10:51:21Z https://live.paloaltonetworks.com/t5/general-topics/decryption-policy-issue/m-p/608#M468 <HTML><HEAD></HEAD><BODY><P>This is because you did not configure the certifiate for decryption</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-6051">Difference Between SSL Forward-Proxy and Inbound Inspection Decryption Mode</A></P></BODY></HTML> Sun, 09 Feb 2014 11:22:58 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-policy-issue/m-p/608#M468 Retired Member 2014-02-09T11:22:58Z https://live.paloaltonetworks.com/t5/general-topics/decryption-policy-issue/m-p/609#M469 <HTML><HEAD></HEAD><BODY><P>That's because when I import the Signed Certificate, All the Check boxes are disabled, as attached in the photo</P><P><IMG alt="" class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/11488_pastedImage_0.png" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P>Regards,</P><P>Maher</P></BODY></HTML> Sun, 09 Feb 2014 11:29:53 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-policy-issue/m-p/609#M469 homicidedart 2014-02-09T11:29:53Z https://live.paloaltonetworks.com/t5/general-topics/decryption-policy-issue/m-p/610#M470 <HTML><HEAD></HEAD><BODY><P>A certificate signed by CA can be used for</P><UL><LI>Captive Portal ("CP") pages</LI><LI>Response Pages</LI><LI>GlobalProtect ("GP") Portal</LI></UL><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-4289">How to Install a Chained Certificate Signed by a Public CA</A></P><P></P><P>When using ssl decryption you cannot use a system that&nbsp; a client will not get a ssl warning (wihtout importing the certificate to the client).This is why ssl is safe.</P><P>if it is used for SSL decryption, it should be CA certificate.</P></BODY></HTML> Sun, 09 Feb 2014 12:14:21 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-policy-issue/m-p/610#M470 Retired Member 2014-02-09T12:14:21Z https://live.paloaltonetworks.com/t5/general-topics/decryption-policy-issue/m-p/611#M471 <HTML><HEAD></HEAD><BODY><P>Thanks panos for your kind help.</P><P></P><P>Regards,</P></BODY></HTML> Mon, 10 Feb 2014 15:12:44 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-policy-issue/m-p/611#M471 homicidedart 2014-02-10T15:12:44Z