How to Import the Intermediate CA on the Firewall

Printer Friendly Page

Details

Palo Alto Networks firewall can block websites if they have untrusted certificates. Some websites use certificates signed by an intermediate CA. If an intermediate CA is not trusted on the Palo Alto Networks firewall, then it just drops the packets. To avoid this situation it is important to add an intermediate certificate on the firewall.

The firewall is configured to block SSL sites with untrusted certificates.

For example, the following site is signed by an intermediate certification, hence the firewall blocks it: www.studyisland.com

Intermediate_Cert.png

  1. Download intermediate certificate "DigiCert SHA2 High Assurance Server CA" in PEM format.
    Save_Cert.png

  2. Login to the firewall through the WebGUI
  3. Go to Device > Certificates > Import > Import "Intermediate Cert"  "DigiCert SHA2 High Assurance Server CA"
    Import_Cert1.png
  4. Click on the certificate and check "Trusted Root CA".
    Trust_Cert.png

owner: hshah

Comments

In PanOS 5 and 6, how does one view logs of sites where traffic has been dropped because the certificate is "untrusted"?

For example, as of this writing sites https://ryderonline.ryder.com https://www2.nscorp.com, http://www.NavisphereProcurement.com and https://cer.omnitracs.com all have invalid certificate chains.   These are important B2B sites, but are blocked due to the chain issue and the settings I have on my Firewall.   If I add the missing certificate authorities used in the chains to my PanOS 5 firewall as trusted root certificate authorities, then the pages are no longer blocked.

Ideally, one would not import these certificate into ones firewall.  One would have the website webmasters fix their certificate chain issue.   This is because the certificate authority at some point in the future should be untrusted.  My import will prevent this future certificate authority revocation.

I have tried to resolve this issue by importing the intermediate cert and male it a Trust Root CA, but it did not unblock the page.