topic Re: SSL Offloading for inbound connection in General Topics

SSL Offloading for inbound connection

ganees — Thu, 22 Feb 2018 17:58:08 GMT

We have few legacy internal applications listening on a various TCP ports. Now we have a requirement to connect to these applications from a cloud vendor externally. There is no option to setup a site-to-site IPSec VPN tunnel to the cloud so we need to expose this server to internet securly. Can Palo alto act as a proxy for inbound traffic hosting the CA cerificate for the internal applications, decrypt and and send the decrypted packet to the internal server? Any documentation with configuration steps?

Re: SSL Offloading for inbound connection

Remo — Thu, 22 Feb 2018 18:09:17 GMT

Hi @ganees

This does not sound like a job for paloalto. The better choice would be a reverse proxy like a Citrix Netscaler. Of course also an Apache or nginx webserver can be configured to do this job. Or a Kemp Loadmaster which (depending ond the bandwith you need) is also available for free: https://freeloadbalancer.com

Re: SSL Offloading for inbound connection

apackard — Thu, 22 Feb 2018 19:28:49 GMT

Not sure if the SSL Decryption Broker feature coming in PanOS 8.1 will allow this.

I'm intrigued to find out myself, especially if there is a simple load balancer feature in it.

Re: SSL Offloading for inbound connection

ganees — Thu, 22 Feb 2018 20:07:09 GMT

Thanks for your response. I thought the same but was curious if Palo can do it.

Re: SSL Offloading for inbound connection

Remo — Thu, 22 Feb 2018 20:33:19 GMT

The decryption broker feature is intended to share decrypted content with other appliances (e.g. for DLP). But the idea is to keep the content encrypted as it goes through the network and not to terminate the decryption and forward the connection unencrypted.
Edit: between the palo and the third party appliance the traffic is sent back ond forth in cleartext. But this does not change the fact that after the traffic gets back to the palo firewall it will be re-encrypted.