https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-and-pa/m-p/323613#M82671 <P>Hi Everyone,</P><P>&nbsp;</P><P>Learned something new from you today.</P><P>We are going to enable SSL decryption for Inbound traffic coming from Internet to our web servers.</P><P>Need to know when does PA intercept the traffic coming form Internet &nbsp;to the web server which is hosting the website?</P><P>&nbsp;</P><P>During 3 way TCP handshake or when first Data packet comes?</P><P>&nbsp;</P><P>Regards</P><P>MP</P><P>&nbsp;</P> Sun, 19 Apr 2020 05:56:35 GMT MP18 2020-04-19T05:56:35Z https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-and-pa/m-p/323613#M82671 <P>Hi Everyone,</P><P>&nbsp;</P><P>Learned something new from you today.</P><P>We are going to enable SSL decryption for Inbound traffic coming from Internet to our web servers.</P><P>Need to know when does PA intercept the traffic coming form Internet &nbsp;to the web server which is hosting the website?</P><P>&nbsp;</P><P>During 3 way TCP handshake or when first Data packet comes?</P><P>&nbsp;</P><P>Regards</P><P>MP</P><P>&nbsp;</P> Sun, 19 Apr 2020 05:56:35 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-and-pa/m-p/323613#M82671 MP18 2020-04-19T05:56:35Z https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-and-pa/m-p/323632#M82679 <P>This is one of my favorite questions, because the answer is truly that it depends on the type of connection.</P><P>&nbsp;</P><P>For RSA keys, the firewall is able to inspect the traffic without terminating the connection. As the connection crosses the firewall it's going to make a copy of the session and decrypt it so the firewall can apply the appropriate policy to the traffic.&nbsp;</P><P>&nbsp;</P><P>For PFS keys using DHE or ECDHE, the firewall has to proxy the connection between the client and the server. Due to the way the key is generated, we can't transparently sit in that connection even with the certificate and the private key installed. So the firewall is going to create a connection from the client to the firewall, and the firewall to the server to proxy that connection.&nbsp;</P> Sun, 19 Apr 2020 05:31:13 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-and-pa/m-p/323632#M82679 BPry 2020-04-19T05:31:13Z https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-and-pa/m-p/323638#M82681 <P>&nbsp;</P><P>Hi Bpry,</P><P>&nbsp;</P><P>If the Connection is using RSA keys then we should not see checked decrypted flag under traffic logs right?</P><P>And when the connection is using DHE we should see decrypted flag checked under the traffic logs right?</P><P>&nbsp;</P><P>So this way we can see if connection is RSA or DHE right?</P><P>&nbsp;</P><P>Regards</P><P>MP</P> Sun, 19 Apr 2020 05:54:03 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-and-pa/m-p/323638#M82681 MP18 2020-04-19T05:54:03Z https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-and-pa/m-p/323857#M82724 <P>Also i tested this on port 443 it&nbsp; always shows traffic as decrypted.</P><P>is this default behaviour?</P><P>&nbsp;</P><P>How can i check if client is using RSA ?</P><P>doing pcap on the PA</P> Mon, 20 Apr 2020 16:38:18 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-and-pa/m-p/323857#M82724 MP18 2020-04-20T16:38:18Z