SSL decryption in forwarding proxy and a Web proxy after paloalto firewall

Reply
L1 Bithead

SSL decryption in forwarding proxy and a Web proxy after paloalto firewall

Hi all,

i have a PA firewall used for internet navigation and a transparent proxy for Web navigation.

I have enabled ssl decryption for a specific URL category that i have set in url profile in block-continue.

If i set my PDL browser with the proxy i didn't recive the response page and the connection goes in timeout. If i remove proxy from pdl it works fine.

I set a pcap filter(with paloalto engeener) and we notice that in the different stage:

  • firewall: the connection goes well and a RST,ACK at the end of session
  • transmit: the connection goes wrong and a FIN was send from pdl to proxy
  • receive: the connection goes well and a RST,ACK at the end of session
  • drop: no drop

We have squid as proxy but i didn't find any guide or configuration for this issue. Do you have some ideas:D

Thanks a lot

Gianpiero

Highlighted
L4 Transporter

Re: SSL decryption in forwarding proxy and a Web proxy after paloalto firewall

Well, I think I may have some questions and maybe some answers...

 

I am not familar with a PDL browser... maybe you could help with that question.

 

In order for SSL Forward Proxy to work correctly (based on my understanding as instructor), the public cert from the Internet (facebook, bankofamerica, etc) needs to be seen by the outside interface of the FW.

 

I have some sneaky suspicion that the web proxy that you have in front of the FW is causing issue.

 

Which then asks another question.. if you have PAN-DB, why the need for a Web Proxy, when the firewall can be used to allow/disallow web site traffic, based on URL category.

 

Maybe you could provide some additional details to help us out. (but step 1... try without the web proxy, if possible... just trying to remove obvious pieces that may causing errors/breakage of traffic)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!