https://live.paloaltonetworks.com/t5/general-topics/design-suggestions/m-p/201391#M59529 <P>Hello,</P><P>The decryption only happens within the PAN software and is not revealed. So in you scenario, it would look like the following:</P><P>&nbsp;</P><P>external client -&gt; SSL-&gt; PAN (decrypted and inspected) -&gt; SSL -&gt; Webserver</P><P>&nbsp;</P><P>So the only time its decrypted is so the PAN can inspect the traffic, i.e. within the device.</P><P>&nbsp;</P><P>Hope that makes sense,</P> Tue, 20 Feb 2018 17:08:34 GMT OtakarKlier 2018-02-20T17:08:34Z https://live.paloaltonetworks.com/t5/general-topics/design-suggestions/m-p/201211#M59492 <P>We are trying to implement SSL offload using proxy gor our hosted websites, so they can be inspected by firewalls. Management currently is more alligned to SSL offload by proxy rather than decryption by FW and it is working the way below. But with the cenario below they are also concerned about the password being revealed after SSL offload. How can i mitigate that. This is a typical web application scenario for us and is using web servers uing ldap/s.</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 696px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/13854iEE67E26304E55551/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Mon, 19 Feb 2018 21:47:20 GMT https://live.paloaltonetworks.com/t5/general-topics/design-suggestions/m-p/201211#M59492 raji_toor 2018-02-19T21:47:20Z https://live.paloaltonetworks.com/t5/general-topics/design-suggestions/m-p/201391#M59529 <P>Hello,</P><P>The decryption only happens within the PAN software and is not revealed. So in you scenario, it would look like the following:</P><P>&nbsp;</P><P>external client -&gt; SSL-&gt; PAN (decrypted and inspected) -&gt; SSL -&gt; Webserver</P><P>&nbsp;</P><P>So the only time its decrypted is so the PAN can inspect the traffic, i.e. within the device.</P><P>&nbsp;</P><P>Hope that makes sense,</P> Tue, 20 Feb 2018 17:08:34 GMT https://live.paloaltonetworks.com/t5/general-topics/design-suggestions/m-p/201391#M59529 OtakarKlier 2018-02-20T17:08:34Z https://live.paloaltonetworks.com/t5/general-topics/design-suggestions/m-p/201410#M59535 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp;Management is more alligned to SSL offload by the proxy rather than decryption by firewall. Once traffic enters firewall it is encrypted, it then exits to reach proxy where it is&nbsp;decrypted and then enters back into firewall and then out to the server.</P> Tue, 20 Feb 2018 17:28:55 GMT https://live.paloaltonetworks.com/t5/general-topics/design-suggestions/m-p/201410#M59535 raji_toor 2018-02-20T17:28:55Z https://live.paloaltonetworks.com/t5/general-topics/design-suggestions/m-p/201413#M59537 <P>Maybe have a small subnet between the proxy and the server? That way its locked into that small area, like a DMZ.</P> Tue, 20 Feb 2018 17:41:35 GMT https://live.paloaltonetworks.com/t5/general-topics/design-suggestions/m-p/201413#M59537 OtakarKlier 2018-02-20T17:41:35Z