topic Re: Implementing SSL Forward Proxy in General Topics

Implementing SSL Forward Proxy

aaltamirano — Tue, 11 Aug 2020 20:47:35 GMT

I have a problem!!, I'm implementing SSL Forward Proxy, all the guides say I have to install the certificate in all the clients, isn't there an alternative to this? I have a lot of visitors and I shouldn't have to install a certificate.

I used to have pfSense and this made it transparent.

PanOS 9.1

Re: Implementing SSL Forward Proxy

jdelio — Tue, 11 Aug 2020 21:08:13 GMT

Installing a Certificate generated on the Palo Alto Networks device is a required step, otherwise the clients will get error messages when trying to browse out to the internet as the Firewall will be using that Certificate to re-encrypt the data, and if that certificate is not installed on the client machine, it will not work.

I cannot comment on how pfSense works.

Re: Implementing SSL Forward Proxy

GlennSJ — Tue, 11 Aug 2020 21:11:04 GMT

Active Directory and use the CA to issue subordinate CA that the firewall uses, all domain joined machines will trust it. Doesn't work for your guests, you'll have to have a portal for them to get the certificate so they will trust your firewall. Otherwise it looks like a man-in-the-middle attack to the end user machine.

Global Protect client (again you own or at least manage the machine) can also push a certificate to the local store.

Re: Implementing SSL Forward Proxy

jdelio — Tue, 11 Aug 2020 21:19:17 GMT

@GlennSJ

Very good point. You can use an Internal CA for that, as long as the firewall uses that Subordinate CA, then that should work without installing certificates on client machines.

Also about GP Client.. good one.

Re: Implementing SSL Forward Proxy

Remo — Wed, 12 Aug 2020 07:08:50 GMT

hi @aaltamirano

The installation of the certificate is required to avoid certificate warnings in the browsers. For visitors I know this could be complicated. But when you do require to decrypt also this traffic there is no way without this step. You could configure captive portal where you would write some information for the visitors about how to do this.

Also with pfsense, cryptographically there is no way to implement TLS decryption "transparently" without this step (except when you have the power of CIA, NSA or some other intelligence agency - but also if they do this with an official CA certificate I would assume they will get caught pretty fast).

For basic URL filtering you do not have to install the certificate on the clients as the firewall sees the domainname in cleartext in the TLS handshake when a client connects to a https website.