Hey girls/guys. My clients on the internal network, talk to a web proxy on the internet that performs SSL forway proxy. This traffic traverses the Palo Alto firewall - we would like the Palo Alto to see inside this traffic for threats,etc. Note: The web proxy must stay - we cannot move this function to the Palo Alto firewall.
Is it possible to import the web proxy CA certificate and private key (the CA on the web proxy that signs certificates for HTTPS websites on the fly) onto the Palo Alto and if so, would the Palo Alto firewall be able to use the CA certificate and private key to see inside the certificates the web proxy creates on the fly?
I'm thinking this is not possible, as the web proxy creates a new certifcate public/private key for each HTTPS website the user visits, and I don't believe the Palo Alto can use the CA certificate and private key to decrypt certificates that it has signed. Would love to hear comments?
Go listen to the Ignite keynote Nir gave this year on proxies ;-)
The answer to your question would be "it depends" because you don't make mention of what's actually acting as a proxy. Some proxies will allow you to issue a subordidant CA Cert to the firewall and allow the firewall to issue the cert on their behalf and then simply accept that certificate and perform other functions, others won't. If your proxy can't do that, or something similar, then it would need to be able to pass the unencrypted traffic through to the firewall for inspection before returning the traffic and encrypting it again; this however is an extremely uncommon feature and something you probably wouldn't want to enable unless you have some sort of encrypted tunnel to the proxy service.
Hey @BPry , thanks for taking the time to reply. I'll Google the Nir keynote on proxies later.....
The proxy is a Zscaler. My fundamental question that I'm trying to get my head around, is this; if I download the subordinate CA certificate + private key running on my Zscaler onto my Palo Alto, would this be suffice for my Palo Alto firewall to decrypt the HTTPS traffic (SSL Inbound Decryption)?
I think the answer is no - the Palo Alto needs the certificate + private key of the websites I am visting (so if I browse to https://test.com my Palo Alto needs the https://test.com certificate + private key that was created by the subordinate CA running on my Zscaler). Does that make sense?
@djohnson229 If you try to decrypt the traffic passing the Palo Alto from the Zscaller to Internet transparently without proxying it, then it will not work. As you rightfully said, that you will need the web server sertificate.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!