Decryption with Wildcard SSL-certificate?

Reply
Highlighted
L2 Linker

Decryption with Wildcard SSL-certificate?

Does Palo Alto support decryption with Wildcard SSL-cert?

Ref.:
In order to determine if a connection needs to be decrypted or not, the firewall relies on the (CN) common name configured within the certificate and compares that to the security policy. ( https://live.paloaltonetworks.com/t5/Management-Articles/SSL-Decryption-Rules-Not-Matching-FQDN/ta-p... )

L2 Linker

Re: Decryption with Wildcard SSL-certificate?

Inbound or outbound decryption?

L2 Linker

Re: Decryption with Wildcard SSL-certificate?

Hi, for outbound decryption

L2 Linker

Re: Decryption with Wildcard SSL-certificate?

is it possible to tell me the url? and which one do you want to decrypt or not to decrypt?

 

short answer: it will decrpyt. but if you want to exclude a specific host / subdomain, there could be a problem. you also need to look at the decryption rule.

L7 Applicator

Re: Decryption with Wildcard SSL-certificate?

@pivvre

The firewall does not only rely on the CM in order to decide if the connection needs to be decrypted. In most connections (everything from a browser that is not older than about 4 years) the TLS handshake client hello packet contains the Server Name Indicator extension. In this field the client specifies the required FQDN and this is also checked by the firewall. So even the server has a wildcard cert the exclusion can normally still be configured with the FQDN - if the client sends a handshake packet WITH this extension.

L2 Linker

Re: Decryption with Wildcard SSL-certificate?

There are no external URL, this is between two internal zones.
Problem is we are not able to decrypt the traffic using our own wildcard SSL-certificate..

L7 Applicator

Re: Decryption with Wildcard SSL-certificate?

@pivvre

If you try to use a wildcard cert AS decryption cert -> this is not gonna work. You need to either configure a CA certificate or use inbound decryption if you are only talking about one or a few servers.

L2 Linker

Re: Decryption with Wildcard SSL-certificate?

@pivvre

ok maybe i dont get it. you talking about outbound decryption, but between two internal zones?

can you tell me where is the wildcard certificate installed? on the server you which to connect to, right?

if so, this normally could be possible to decrypt if:

- you have an ca certifiacte installed and checked it under certificates as your trusted forward certificate (as vsys_remo mentioned)

- you have an adequate decprytion rule for your "outbound" connection, where "outbound" means from one zone to the other

- the server is using a protocol (no proprietary encryption) and cipher suite which is supported by your PANOS Version
(https://www.paloaltonetworks.com/documentation/global/compatibility-matrix/supported-cipher-suites)

L2 Linker

Re: Decryption with Wildcard SSL-certificate?

Sorry guys - I gave an wrong answer earlier on, this is for inbound sessjons, not outbound...

L2 Linker

Re: Decryption with Wildcard SSL-certificate?

Ahhh, ok. For inbound i think it will work. I can check it on a Lab Unit the next days if you want?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!