topic Re: Forward traffic inspection in Palo alto in General Topics

Forward traffic inspection in Palo alto

Mohammed_Yasin — Mon, 29 Jun 2020 07:43:43 GMT

Palo Alto and Fortinet are configured as internet edge firewalls.

Dual layers FA Internet ---- Palo Alto ------- Fortigate -------- Trust zone.

Outbound traffic is SSL inspected by a Fortinet firewall and the firewall acts as a forward proxy. All users are using Fortigate certificates in browser-trusted location.

Palo alto is configured before FortiGate,

Now Palo alto further inspected the SSL traffic which is coming from Fortinet.

In the above case, what can we do to establish the trust from Palo to Forti? Or can I generate the CA certificate from Palo alto and install in Fortigate in this way traffic further inspected in Palo alto? Or do you need to configure SSL forward proxy and generate the intermediate certificate from Palo alto and install it in FortiGate?

Re: Forward traffic inspection in Palo alto

BPry — Tue, 30 Jun 2020 03:00:35 GMT

@Mohammed_Yasin,

Wait a minute, you're performing SSL inspection on both boxes? That would have a fairly noticeable performance hit, and you would have little to gain inspecting the traffic again on the Fortigate firewall when it's already being inspecting by your PAN firewalls. Statistics wise, you are inspecting that traffic with a product which is continuously rated higher for malicious traffic detection prior to sending it for additional inspection by an inferior signature engine.

You're going to need to install whatever certificate you are using on both firewalls, on both firewalls. The PAN is going to need to trust the Fortigate CA and the Fortigate is going to need to trust the PAN. In all honesty though, this isn't something I would even attempt to get to work. Pick one box to perform inspection on, and turn the other SSL Inspection engine off. I would personally recommend keeping decryption enabled on the PAN and disabling decryption on the Fortigate, but you should only have one enabled.

Re: Forward traffic inspection in Palo alto

Mohammed_Yasin — Tue, 30 Jun 2020 09:36:22 GMT

Thank you for your explanation and cooperation

My actual question,

The outbound traffic from the Inside to the internet (the end-user is using FortiGate certificates in browser-trusted location)
currently, Fortinet is doing the SSL Inspection and acts as a forward proxy for the user internet traffic.
Palo alto as a parameter firewall that acts as transparent for the Fortinet inspected Traffics (means current PA doesn’t Inspect the received traffic it’s just forward the received traffic from Fortinet firewall. )

My Expectation, as users, brings the Fortinet certificate to browse the trusted sites.

The Palo alto to inspect the SSL traffic too, whichever comes from Fortinet firewall,
That means users bring the Fortinet certificate from the trust LAN to browse the internet and the Fortinet firewalls perform the SSL Inspection as the first stage level, then it's forward to PA for SSL inspection as a second stage.

In short, I am looking for that, Palo alto to do the SSL inspection with the Fortinet certificate which is already inspecting by the Fortinet FW.

Please advise me... its achievable or its the right way to do inspection with box.

Re: Forward traffic inspection in Palo alto

OtakarKlier — Tue, 30 Jun 2020 18:40:09 GMT

Hello,

I have always been a big believer in keeping things simple. Yes your traffic will take a hit due to the two layers of decryption. However

there is no need with a properly configured Palo Alto to have another firewall inline. That said, the users machines are the ones that need to trust the certificates of the traffic that is being decrypted.

Regards,

Re: Forward traffic inspection in Palo alto

upelister — Wed, 01 Jul 2020 05:32:51 GMT

Hello,

Maybe, decryption broker option can be helpful.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/decryption/decryption-broker