topic Re: Usage Difference between SSL Forward Proxy and Inbound Inspection Decryption mode in General Topics

Usage Difference between SSL Forward Proxy and Inbound Inspection Decryption mode

Alex10411 — Wed, 21 Aug 2019 18:41:23 GMT

Hello

i have read the articles regarding the types of ssl decryption:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV8CAK

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/decryption/decryption-concepts/ssl-forward-proxy

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/decryption/decryption-concepts/ssl-inbound-inspection.html

However, i still dont really understand 'how' to choose decryption mode in our network, whether its inbound or outbound isnt really a criteria. I mean, practically , whats the difference of impact ? What reasons you would have to use one instead of the other?

Re: Usage Difference between SSL Forward Proxy and Inbound Inspection Decryption mode

S.Cantwell — Wed, 21 Aug 2019 18:53:08 GMT

Hello!

SSL Fwd Proxy is when the FW intercepts SSL traffic between client browser and internet server, substituting a self-signed or internal CA cert, so that the FW can decrypt traffic between client and server, as the traffic EGRESSES the FW.

Inbound Inspection, is when you have public CA signed certs and external users need to come INGRESS to your FW (think traffic your DMZ zone as example). Your DMZ servers already have public certs, to support SSL sessions. If you take the public/private key from your internal DMZ server and import into the FW, there is no need for the FW to proxy the connection. The FW uses the same cert to decrypt inbound traffic to your network.

So..

SSL Fwd proxy is decrypting EGRESS traffic, using a self signed or internal CA cert. From internal client to public Internet.

Inbound Inspection is decrypting INGRESS traffic, using public cert. From public client to internal server.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC

Re: Usage Difference between SSL Forward Proxy and Inbound Inspection Decryption mode

Alex10411 — Thu, 22 Aug 2019 17:34:29 GMT

Hello, i kind of understand. However, when you try to implement an inspection and you, as a engineer, only have the details of the flow but no idea if its ingress or egress , for example from one DMZ to another? Will you distinguish the type , from what certificate you will be provided (if any)?

Re: Usage Difference between SSL Forward Proxy and Inbound Inspection Decryption mode

S.Cantwell — Thu, 22 Aug 2019 19:12:29 GMT

I would definitely suggest you read the docs on setting up Decryption.

Very brief:

Creating a self signed cert on FW allow the cert to be used for SSL Forward proxy (or EGRESS), because the FW will be intercepting someone's ssl traffic to Facebook (or any other public web server). When the web server from the Internet sends back the publicly signed cert, the FW will substitute the self-signed on, and forward to the user.

Now the FW can see traffic from client to FW (make sure no malware/virus, etc in the payload) and then send the traffic to the Internet.

With Inbound Inspection, you take the cert from your DMZ, put it on your FW. Now, when someone from the Internet comes inbound to your DMZ, you have a different cert (that you loaded from your DMZ server onto the FW) and now the FW will intercept the traffic from the Internet (make sure no malware/virus in the payment) and then send into your DMZ.

You will create policies based on SSL Forward Proxy (self signed cert) vs Inbound Inspection (public cert from DMZ).

Again, just a very simple example, so read docs, view Youtube videos, etc..

Let me knnow what other questions you may have.

Steve

Re: Usage Difference between SSL Forward Proxy and Inbound Inspection Decryption mode

Alex10411 — Fri, 23 Aug 2019 16:39:48 GMT

Thanks once more. So if understood correctly, would use forward proxy when i want to decrypt traffic to the 'outside', like internet and inbound decryption would be towards internal servers? Almost like when we do ssl offload (although with re-encryption and fw not becoming the ssl termination point).