Difference Between SSL Forward-Proxy and Inbound Inspection Decryption Mode

by nbilly on ‎10-16-2013 05:21 AM - edited on ‎11-20-2017 03:57 AM by (31,923 Views)

When configuring SSL decryption policy in order to define SSL traffic eligible for decryption, you have to make a choice between 2 different types/modes:

  • SSL Forward-Proxy
  • SSL Inbound Inspection

This article explains the difference between the two modes.

 

 

Forward-Proxy

SSL Forward Proxy showing an Internal user going to an External SSL site.SSL Forward Proxy showing an Internal user going to an External SSL site.

 

In Forward-Proxy mode, PAN-OS will intercept the SSL traffic which is matching the policy and will be acting as a proxy (MITM) generating a new certificate for the accessed URL. This new certificate will be presented during SSL Handshake to the Client accessing website with SSL. This certificate will be signed with the self-signed CA certificate or another certificate specified as:

Screen Shot 2013-10-16 at 15.03.36.png

Note: If you want to use a certificate issued by third party, it needs to be a CA certificate and you will have to import public AND private key (Key Pair).

 

  1. Internal user is trying to reach out www.google.com with https. Traffic is matching the decryption policy.
  2. This traffic is handled by our SSL proxy engine, and a certificate for www.google.com is generated by our internal PKI (signed by the CA certificate).
  3. PAN-OS is proxying the SSL traffic and setting up a new SSL connection with the Web Server.
  4. Web Server is starting handshake with PAN-OS device.
  5. PAN-OS device is completing its SSL handshake with client presenting generated certificate in Server Hello message.

 

Inbound Inspection

Inbound inspection showing when an external user comes into a webserver internally or in a DMZ.Inbound inspection showing when an external user comes into a webserver internally or in a DMZ.

In Inbound Inspection mode, PAN-OS will not act as a proxy with SSL traffic matching the policy. PAN-OS will try to decrypt this SSL traffic 'on-the-fly' by eavesdropping the SSL handshake and using associated Certificate (Key Pair) configured in decryption policy as below:
Screen Shot 2013-10-16 at 16.41.52.png

Note: This decryption mode can only work if you have control on the targeted Web Server certificate to be allow to import Key Pair on Palo Alto Networks Device. That's why this decryption mode is often use to decrypt SSL inbound traffic to Internal Web Server.

 

  1. External Client is trying to reach out ain internal site www.domain.com with https. Traffic is matching the decryption policy.
  2. Our SSL Proxy Engine is starting to eavesdrop the SSL session with associated Key Pair.
  3. SSL request is sent to Web Server without being proxied.
  4. PAN-OS will inspect Server-Hello message during handshake to verify if both certificates (sent by the server and used in 2) are matching.
  5. If there is a match, decryption will be successful for the rest of the session; otherwise, decryption will be failing (dedicated global counters will be raised).

 

See also

SSL decryption resource list

The SSL decryption resource list has a long list of articles dealing with SSL decryption only. 

 

owner: nbilly

Comments
by hshah
on ‎05-01-2014 04:58 AM

Excellent

by hugo
on ‎06-29-2014 09:46 AM

Nice

by HULK
on ‎11-09-2014 11:27 PM

Wonderful doc.

by Sly_Cooper
on ‎09-28-2017 09:25 AM

1. Can inbound ssl decryption work with wildcard certificates?

2. Since it is not a direct proxy, will traffic be unaffected if the policy is set to allow if the decryption fails?

by
on ‎11-08-2017 04:04 PM

@Sly_Cooper

Let me try to answer these.. 

 

1. A Wildcard certificate should work, as you take the cert installed on the WWW server and install it on the Firewall.

2. You have 2 parts to this.. you have a Decrypt Policy and then a normal Security policy.  You will either allow the traffic and then decrypt it or not.  So, in the event that you cannot decrypt the traffic, the traffic will not be allowed. In that event, to get traffic working again, you would then have to add the URL to the No-Decrypt to get the traffic flowing again.

 

I hope this answers your question.

 

Please mark this article helpful or thumb up this response.

by Sly_Cooper
on ‎11-15-2017 09:38 AM

Can PA intelligently identify encrypted vs.unencrypted traffic and bypass clear text if I do ssl decryption for all traffic? We have F5 behind PAN with virtual server listening for all traffic (0.0.0.0/0) and has logic for handling different requests to appropriate host. Some of the traffic may not be encrypted. In terms of decryption policy, there is no specific destination server and all traffic would need to be decrypted with the wildcard cert.

Also from impact perspective, I read that the PA if fails to decrypt does not impact traffic. Is that true or needs specific configuration?

by ali426
a week ago

Hi Folks,

 

As per my understanding....

 

Client generate a request for web server (say youtube) and now my firewall is configured to decrypt this traffic.

 

1.client generate request for youtube

2.firewall responds to user on behalf of youtube with the certificate (CA certificate)

3.firewall send the request to youtube on behalf of user

4.youtube responds with its public key to firewall

5.firewall verifies the certificate and establish the connection

 

now,consider on my firewall i have uploaded a single certificate that is from verizon and youtube is presenting the certificate from microsoft to my firewall. then how my firewall will validate the microsoft root certificate?

 

As of my knowledge, PCs maintain all the root certificate.so pc can have root cert for microsoft,verizon,X,Y,Z.....  but how my firewall can have those certificates ?

 

Any response is much appreciated......

 

Thanks in Advance

Ali

by
a week ago

hi @ali426

 

the firewall acts as a proxy, so the firewall 'terminates' the clients connection locally and makes a new connection to the site for itself. client and server hello between firewall and site happen 'the regular way' by verifying root certificate and Certificate Authority. connection between client and firewall rely solely on the certificate the firewall provides acting as the signing certificate any site provides

 

so youtube will be signed by the firewall CA , but so will google, cnn, amazon ,.... (from the client perspective everything is signed by the firewall CA)

by ali426
a week ago

Did the firewall maintains global trusted root certificates, like our browser do.

 

Thanks and regards

Ali

by
Tuesday

Yes there is a trusted root certificates store:

default trusted certificates.png

by Sly_Cooper
Tuesday

In case of inbound ssl inspection, if the firewall uses expired certs (assuming failed to update the renewed cert), will the firewall bypass traffic or drop it? I am trying to understand results when the firewall fails to decrypt the traffic.

by
Wednesday

hi @Sly_Cooper

 

that depends on the preference you configure in the decryption profile:

decprof.png

Ignite 2018
Ask Questions Get Answers Join the Live Community