04-03-2012 12:22 AM
If I enable SSL decryption and the PAN effectively works as a "man-in-the middle", the client recieves a cert error saying the certificate has not been generated by the destination server. No problem, as I can add the PAN cert as a trusted cert in my organisation.
However, how does the PAN protect from recieving a spoofed cert from the destination server? If the PAN wasn't in place, my WIndows client would tell me the cert doesn't match. Does the PAN run any such tests and if so, how does it inform me?
Regards
Neil
04-03-2012 12:37 AM
When you import your termination CA-cert/private key to your PA box you can set various flags for it.
One of these flags is "untrusted" (something).
This means that you can setup two termination certs (or CA's) in your PA.
One for trusted traffic (this CA is imported as trusted CA in your browser) and one for untrusted traffic (this CA should be imported as UNTRUSTED CA in your browser) - or if you want your clients to get a warning dont import this CA at all in your browser (then the client can choose to continue if they wish if im not mistaken).
This way you can choose to if you wish to completely block untrusted traffic or if you wish to allow the clients to visit the page anyway (and if they do the traffic will be inspected as with the trusted CA cert).
04-03-2012 01:00 AM
In Device -> Setup -> Session you can setup various stuff regarding how the PA box will handle SSL stuff (page 35 in PA-4.1_Administrators_Guide.pdf):
"
Server CRL/OCSP
* Enable - Select the check box to use CRL to check the validity of SSL certificates.Each trusted certificate authority (CA) maintains certificate revocation lists (CRLs) to determine if an SSL certificate is valid (not revoked) for SSL decryption. The Online Certificate Status Protocol (OCSP) can also be used to dynamically check the revocation status of a certificate. For more information on SSL decryption, refer to “Decryption Policies” on page 143.
* Receive Timeout - Specify the interval after which the CRL request times out and the status is determined to be unknown (1-60 seconds).
* Enable OCSP - Select the check box to use OCSP to check the validity of SSL certificates.
* Receive Timeout - Specify the interval after which the OCSP requests times out and the status is determined to be unknown (1-60 seconds).
* Block Unknown Certificate - Select the check box if you want to block certificates that cannot be validated.
* Block Timeout Certificate - Select the check box if you want to block certificates when the request for certificate information times out.
* Certificate Status Timeout - Specify the interval after which certificate status requests time out (1-60 seconds).
"
And when you setup the decryption policy you have various options to play with (page 144):
"
Options Tab
* Action - Select decrypt or no-decrypt for the traffic.
* Type - Select the type of traffic to decrypt from the drop-down list:
- SSL Forward Proxy—Specifies that the policy will decrypt client traffic destined for an external server.
- SSH Proxy—Specifies that the policy will decrypt SSH traffic. This option allows you to control SSH tunneling in policies by specifying the ssh-tunnel App-ID.
- SSL Inbound Inspection—Specifies that the policy will decrypt SSL inbound inspection traffic.
* Category - Click Add to select the URL categories from the drop-down list.
* Block sessions that cannot be decrypted - Select the check box to block any sessions that the firewall cannot decrypt based on policy rules. Decryption may fail if none of the cryptographic algorithms offered by the client and server are supported.
"
And when importing your certificate(s) for ssl-inspection/termination in Device -> Certificates you have these settings to choose from (a single cert can be flagged with multiple features):
"
The Certificates page allows you to generate the following security certificates:
* Forward Trust - This certificate is presented to clients during decryption when the server to which they are connecting is signed by a CA in the firewall’s trusted CA list. If a self-signed certificate is used for forward proxy decryption, you must click the certificate name in the Certificates page and select the Forward Trust Certificate check box.
* Forward Untrust - This certificate is presented to clients during decryption when the server to which they are connecting is signed by a CA that is not in the firewall’s trusted CA list.
* Trusted Root CA - The certificate is marked as a trusted CA for forward decryption purposes.
When the firewall decrypts traffic, it checks the upstream certificate to see if it is issued by a trusted CA. If not, it uses a special untrusted CA certificate to sign the decryption certificate. In this case, the user sees the usual certificate error page when accessing the firewall and must dismiss the warning to log in.
The firewall has a large list of existing trusted CAs. The trusted root CA certificate is for additional CAs that are trusted for your enterprise but are not part of the pre-installed trusted list.
* SSL Exclude - This certificate excludes connections if they are encountered during SSL forward proxy decryption.
* Certificate for Secure Web GUI - This certificate authenticates users for access to the firewall web interface. If this check box is selected for a certificate, the firewall will use this certificate for all future web-based management sessions following the next commit operation.
"
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
