topic SSL decription between firewall and proxy in General Topics https://live.paloaltonetworks.com/t5/general-topics/ssl-decription-between-firewall-and-proxy/m-p/151120#M50086 <P>Hi Guys,</P><P>&nbsp;</P><P>We have a palo alto 3020 firewall in peremeter and websense proxy server in internet network acting a explicit proxy. So users are browsing internet through proxy server and the proxy will forward the traffic to internet via PA firwall.</P><P>&nbsp;</P><P>We need have following requirment.</P><P>&nbsp;</P><P>* Enable ssl decrption in PA firewall and inspect any traffic coming from websense to inspect and if required to send suspicias trafic to wildfire cloud</P><P>* enable SSL decryption in websense and between clients.</P><P>&nbsp;</P><P>so in two locations the traffic will be decrypted for insplection.</P><P>&nbsp;</P><P>In the above scenario. Clients will have self signed certificate of websense. So websense will inspect traffic coming from clients.</P><P>&nbsp;</P><P>So.. how to configure PA firewall for ssl decryption? is it similar to client to firewall decryption where we generate a self signed certificate and export it to websense. so firewall will act as MITM.?</P><P>&nbsp;</P><P>NEED your adivce on above setup?</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Irshad</P> Tue, 04 Apr 2017 20:08:54 GMT irshad.n 2017-04-04T20:08:54Z SSL decription between firewall and proxy https://live.paloaltonetworks.com/t5/general-topics/ssl-decription-between-firewall-and-proxy/m-p/151120#M50086 <P>Hi Guys,</P><P>&nbsp;</P><P>We have a palo alto 3020 firewall in peremeter and websense proxy server in internet network acting a explicit proxy. So users are browsing internet through proxy server and the proxy will forward the traffic to internet via PA firwall.</P><P>&nbsp;</P><P>We need have following requirment.</P><P>&nbsp;</P><P>* Enable ssl decrption in PA firewall and inspect any traffic coming from websense to inspect and if required to send suspicias trafic to wildfire cloud</P><P>* enable SSL decryption in websense and between clients.</P><P>&nbsp;</P><P>so in two locations the traffic will be decrypted for insplection.</P><P>&nbsp;</P><P>In the above scenario. Clients will have self signed certificate of websense. So websense will inspect traffic coming from clients.</P><P>&nbsp;</P><P>So.. how to configure PA firewall for ssl decryption? is it similar to client to firewall decryption where we generate a self signed certificate and export it to websense. so firewall will act as MITM.?</P><P>&nbsp;</P><P>NEED your adivce on above setup?</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Irshad</P> Tue, 04 Apr 2017 20:08:54 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decription-between-firewall-and-proxy/m-p/151120#M50086 irshad.n 2017-04-04T20:08:54Z Re: SSL decription between firewall and proxy https://live.paloaltonetworks.com/t5/general-topics/ssl-decription-between-firewall-and-proxy/m-p/151148#M50091 <P>essentially, yes. assuming you don't have an enterprise CA (which I'm guessing you don't, given that you're using a self-signed on the proxy).</P><P>&nbsp;</P><P>what you may/should be able to do is export the private/public key of the cert on the proxy and import and use it as your forward trust certificate on the PA. that way you don't need to retrain any clients to trust the PA cert.</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption/ta-p/59719" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption/ta-p/59719</A></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 04 Apr 2017 22:10:30 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decription-between-firewall-and-proxy/m-p/151148#M50091 bradk14 2017-04-04T22:10:30Z