SSL Outbound decryption - Outbound traffic

Reply
L1 Bithead

SSL Outbound decryption - Outbound traffic

Hi There, I need your inputs to implement SSL Decryption, currently we have Proxy Server - WSA and same is configured at all end users explicitly. WSA Doesn't have ssl decryption. Hence we would like to deploy ssl decryption at perimeter firewall palo alto. Please suggest how to implement the same and which certificate needs to be used. As i am new to ssl decryption, please suggest the same and share some documents  with step by step procedures. Thanking you.

Tags (1)
L2 Linker
L3 Networker

Re: SSL Outbound decryption - Outbound traffic

I'm not sure if maybe you just mean your WSA isn't doing decryption, but WSA does support it.  We had a rack of them that were also decrypting before we moved to PAN.

L1 Bithead

Re: SSL Outbound decryption - Outbound traffic

Hi There,

 

In LAN We have more that 500 users, so what is the best practise to deploy SSL Decryption and install the certificates in client PC's.

 

That is do i need to generate CSR in Firewall and it needs to be Signed in Local Domain Controller. Please elebrote the same and throw some light on this.

L3 Networker

Re: SSL Outbound decryption - Outbound traffic

The SSL certificate needs to be added to the Trusted Root Certification Authorities of all of your computers.  I'd just use a self signed one from the firewall, but you can also get puicly signed ones, etc.

This article covers the concept pretty well (I have no affiliation with Globalsign it just explains the concept well): https://www.globalsign.com/en/blog/what-is-ssl-inspection/

 

Regardless of which route you go, you will HAVE to push at least one certificate to get SSLi working.

 

If windows, the easiest way do deploy these is using GPO.

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to...

 

If MAC or linux, youd need some sort of orchestration tool (JAMF, etc) to push globally.


*Please like or mark as solution if the answer is helpful!*
L1 Bithead

Re: SSL Outbound decryption - Outbound traffic

Hi There, Thanks for your response, need bit more details. Let me put in this way 1) I have wild card public certificate - can i use that certificate for SSL inspection. 2) If Wild card is not supported, can i generate csr with inside interface ip and get signed through my internal CA. and if we have multiple sub interface in inside then we need to generate multiple csr for each interface IP. please correct me if i am wrong.
L3 Networker

Re: SSL Outbound decryption - Outbound traffic

1) I have wild card public certificate - can i use that certificate for SSL inspection.

No.  It needs to be given Certificate Authority permissions.

 

2) If Wild card is not supported, can i generate csr with inside interface ip and get signed through my internal CA. and if we have multiple sub interface in inside then we need to generate multiple csr for each interface IP. please correct me if i am wrong.

You cannot use the firewall to generate a CSR and have your PKI issue it.  The firewall does not have the ability to request a CA certificate; just a regular server cert.  If you check the Certificate Authority box on the generate screen that just makes the firewall sign it.  If you want to use a certificate signed by your internal PKI you have to generate the CSR manually, sign it, and then import the cert and key. 

 

The interfaces of the firewall are unrelated to this.  When inspection is done the firewall needs to create new certificates martching the domain being accessed, and those certficates need to be signed by a trusted certification authority on the client device.  The client doesnt ever see anything to do with the firewall's interface in the certificate.


*Please like or mark as solution if the answer is helpful!*
L4 Transporter

Re: SSL Outbound decryption - Outbound traffic

@TSilverline Can public wildcart cert be used for inbound decryption.

L3 Networker

Re: SSL Outbound decryption - Outbound traffic


@raji_toor wrote:

@TSilverline Can public wildcart cert be used for inbound decryption.


Yes.  As long as the firewall also has the private key.


*Please like or mark as solution if the answer is helpful!*
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!