topic Re: SSL decryption in forwarding proxy and a Web proxy after paloalto firewall in General Topics

SSL decryption in forwarding proxy and a Web proxy after paloalto firewall

Gianpiero — Mon, 14 Oct 2019 13:34:57 GMT

Hi all,

i have a PA firewall used for internet navigation and a transparent proxy for Web navigation.

I have enabled ssl decryption for a specific URL category that i have set in url profile in block-continue.

If i set my PDL browser with the proxy i didn't recive the response page and the connection goes in timeout. If i remove proxy from pdl it works fine.

I set a pcap filter(with paloalto engeener) and we notice that in the different stage:

firewall: the connection goes well and a RST,ACK at the end of session
transmit: the connection goes wrong and a FIN was send from pdl to proxy
receive: the connection goes well and a RST,ACK at the end of session
drop: no drop

We have squid as proxy but i didn't find any guide or configuration for this issue. Do you have some ideas:D

Thanks a lot

Gianpiero

Re: SSL decryption in forwarding proxy and a Web proxy after paloalto firewall

S.Cantwell — Tue, 15 Oct 2019 18:10:04 GMT

Well, I think I may have some questions and maybe some answers... 😛

I am not familar with a PDL browser... maybe you could help with that question.

In order for SSL Forward Proxy to work correctly (based on my understanding as instructor), the public cert from the Internet (facebook, bankofamerica, etc) needs to be seen by the outside interface of the FW.

I have some sneaky suspicion that the web proxy that you have in front of the FW is causing issue.

Which then asks another question.. if you have PAN-DB, why the need for a Web Proxy, when the firewall can be used to allow/disallow web site traffic, based on URL category.

Maybe you could provide some additional details to help us out. (but step 1... try without the web proxy, if possible... just trying to remove obvious pieces that may causing errors/breakage of traffic)