Difference Between SSL Forward-Proxy and Inbound Inspection Decryption Mode

by nbilly on ‎10-16-2013 05:21 AM (24,295 Views)

Overview

When configuring ssl decryption policy in order to define ssl traffic eligible for decryption, you have to make a choice between 2 different types/modes:

  • SSL Forward-Proxy
  • SSL Inbound Inspection

This article explains the difference between the two modes.

Details

decryption_forwardvsinbound.jpg

Forward-Proxy

In Forward-Proxy mode, PAN-OS will intercept the SSL traffic which is matching the policy and will be acting as a proxy (MITM) generating a new certificate for the accessed URL. This new certificate will be presented during SSL Handshake to the Client accessing website with SSL. This certificate will be signed with the self-signed CA certificate or another certificate specified as:

Screen Shot 2013-10-16 at 15.03.36.png

Note: If you want to use a certificate issued by third party, it needs to be a CA certificate and you will have to import public AND private key (Key Pair).

  1. Client is trying to reach out www.google.com with https. Traffic is matching the decryption policy.
  2. This traffic is handled by our SSL proxy engine, and a certificate for www.google.com is generated by our internal PKI (signed by the CA certificate).
  3. PAN-OS is proxying the ssl traffic and setting up a new ssl connection with the Web Server.
  4. Web Server is starting handshake with PAN-OS device.
  5. PAN-OS device is completing its SSL handshake with client presenting generated certificate in Server Hello message.

Inbound Inspection

In Inbound Inspection mode PAN-OS will not act as a proxy with ssl traffic matching the policy. PAN-OS will try to decrypt this ssl traffic 'on-the-fly' by eavesdropping the ssl handshake and using associated Certificate (Key Pair) configured in decryption policy as below:
Screen Shot 2013-10-16 at 16.41.52.png

Note: This decryption mode can only work if you have control on the targeted Web Server certificate to be allow to import Key Pair on Palo Alto Networks Device. That's why this decryption mode is often use to decrypt SSL inbound traffic to Internal Web Server.

  1. Client is trying to reach out www.google.com with https. Traffic is matching the decryption policy.
  2. Our SSL Proxy Engine is starting to eavesdrop the ssl session with associated Key Pair.
  3. SSL request is sent to Web Server without being proxied.
  4. PAN-OS will inspect Server-Hello message during handshake to verify if both certificates (sent by the server and used in 2) are matching.
  5. If there is a match, decryption will be successful for the rest of the session; otherwise, decryption will be failing (dedicated global counters will be raised).

owner: nbilly

Comments
by hshah
on ‎05-01-2014 04:58 AM

Excellent

by hugo
on ‎06-29-2014 09:46 AM

Nice

by HULK
on ‎11-09-2014 11:27 PM

Wonderful doc.

Ask Questions Get Answers Join the Live Community
Contributors