Support for inspecting SSL message for kafka connect

L0 Member

Support for inspecting SSL message for kafka connect

We are using Kafka for messaging and have a requirement to inspect the SSL message sent to kafka broker from kafka connect. Kafka using binary tcp protocol with kafka broker listeners on PLAINTEXT://9093  (without SSL)

 

Can paloalto decrypt and inspect the kafka message content?

 

L7 Applicator

Re: Support for inspecting SSL message for kafka connect

@joshualouis911,

Kafka as in Apache Kafka? That would depend highly on how you've configured it. By default Kafka doesn't even use encryption so you won't even need to worry about decrypting SSL traffic. 

If the data itself isn't being encrypted outside of encrypted transport, then you should be able to view the data as soon as you decrypt the transport on the firewall. Honestly though I have no idea how you would accomplish this on the firewall itself in any sort of useful format, as it isn't really designed to read the packet information and then output that for you. At beast you identify the Kafka traffic you are interested in and have it perform a packet capture on the traffic so that you could manually go back and read this information if required. 

 

Out of curosity why would you worry about this on the firewall? The message would be plaintext on the broker (depending on how you configured it); and I assume if you are using kafka then this is internal and your organization should have access to the broker to do anything they wish with the information. 

L0 Member

Re: Support for inspecting SSL message for kafka connect

Yes Apache Kafka, Kafka is used here to source data from a secured data center to cloud. The plan is to use Kafka connect on secured data center read data from database and transfer it to cloud we got paloalto in secured data center for inspecting the connection and traffic. Since kafa uses tcp protocol will the message be in cleartext for Paloalto to inspect. 

L7 Applicator

Re: Support for inspecting SSL message for kafka connect

@joshualouis911,

if you decrypt the traffic then yes; but the firewall doesn't really care about the message itself and to the best of my knowledge doesn't have a great way of displaying/logging the actual message content. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!