topic SSL decryption on PA incase the SSL termintated on WAF in General Topics

SSL decryption on PA incase the SSL termintated on WAF

msalhi — Sat, 04 Jul 2020 02:03:50 GMT

We have a website hosted behind WAF and Firewall (Palo Alto). The WAF already has the server valid SSL Certificate from public CA. Do we need to install SSL certificate (decryption ) on PA Firewall also for inbound traffic to make it more secure ?

Re: SSL decryption on PA incase the SSL termintated on WAF

MP18 — Sat, 04 Jul 2020 04:40:34 GMT

@msalhi

If you want to do Inbound SSL decryption for traffic coming from Internet to the server then yes you need to Import the certificate to the

PA with its private keys for SSL decryption to work.

Then you need Decryption policy on the PA for traffic coming from Internet to the server Public IP address.

Regards

Re: SSL decryption on PA incase the SSL termintated on WAF

msalhi — Sat, 04 Jul 2020 09:02:46 GMT

Thank you for your answer , i'm asking if it will be more secure if we install same ssl certificate on PA and WAF for inbound traffic destined to published server .

Re: SSL decryption on PA incase the SSL termintated on WAF

BPry — Sat, 04 Jul 2020 12:54:29 GMT

@msalhi,

If you aren't attempting to decrypt the traffic as described by @MP18, there would be no reason to install the certificate on the PAN firewalls. You only need the certificate installed on the PAN if you were doing inbound decryption.