For details on cookie usage on our site, read our Privacy Policy
Tips & Tricks: SSL Forward Proxy
- LIVEcommunity
- Articles
- General Articles
- Tips & Tricks: SSL Forward Proxy
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Printer Friendly Page
In today's digital world, where encryption is all around us, SSL decryption becomes a real superhero in the fight against hidden threats and bolstering network security. Luckily, Palo Alto Networks Next-Generation Firewall comes to the rescue with its powerful SSL decryption capabilities. With these tools, organizations can gain insight into encrypted traffic, spot potential risks, and take proactive measures to keep their network safe and sound. In this Tips & Tricks, I'm going to walk you through the steps of enabling SSL inbound decryption. Let's dive in!
In Forward-Proxy mode, PAN-OS will intercept outbound SSL traffic matched to a decryption policy. The firewall acts as a proxy (Man In The Middle) initiating an SSL session with the destination server. During this process, the firewall presents a certificate signed by an Enterprise CA or third-party CA.
Configuring SSL Forward Proxy
-
Generate or import SSL/TLS certificates:
- Generate a self-signed certificate or import a trusted third-party certificate for SSL decryption. You can import certificates under Device > Certificate Management > Certificates.
Note: If you are using a certificate signed by a third-party CA, will have to import the public AND private key (Key Pair).
-
Configure decryption policies:
- Go to Policies > Decryption.
- Click on the "Add" button to create a new decryption policy.
- Define the decryption policy based on source and destination zones, addresses, applications, and users.
-
Set up SSL decryption profiles:
- Under Policies > Decryption, click on "SSL Decryption Profiles."
- Click on the "Add" button to create a new SSL decryption profile.
- Configure settings such as SSL protocol versions, encryption ciphers, certificate selection, and authentication requirements.
-
Configure SSL decryption rules:
- Under Policies > Decryption, click on "SSL Decryption Rules."
- Click on the "Add" button to create a new SSL decryption rule.
- Define the rule conditions based on source and destination zones, addresses, applications, or users.
- Select the SSL decryption profile you created in the previous step.
-
Enable SSL decryption on security policies:
- Under Policies > Security, select the security policy that you want to enable SSL decryption for.
- Click on the "Actions" tab.
- Enable the "Decryption" option and select the SSL decryption rule you created.
-
Fine-tune SSL decryption settings:
- Under Device > Setup > Content-ID > SSL Decryption Settings, you can configure additional SSL decryption settings.
- Customize options such as exclusions for specific websites or applications, trusted root CA certificates, or revocation checking options.
-
Monitor and troubleshoot:
- Monitor the firewall logs and review the decrypted traffic logs to ensure that the SSL decryption process is functioning correctly.
- Use the SSL Decryption Logs to view detailed information about decrypted SSL sessions and any potential issues.
There you have it! With SSL decryption on your side, you'll be proactive in protecting your network, detecting potential risks, and keeping your organization safe from ever-evolving cyber threats. Stay vigilant and protect yourself online!
Thanks for reading! @JayGolf out.
-
"Address Objects"
1 -
10.0
1 -
10.1
2 -
10.2
2 -
8.1
1 -
9.0
1 -
9.1
1 -
Active-Passive
1 -
AD
1 -
address objects
1 -
admin roles
1 -
administration
4 -
Administrator Profile
1 -
Advanced URL Filtering
2 -
Alibaba
2 -
Alibaba Cloud
3 -
Ansible
1 -
antivirus
1 -
API
1 -
applications
1 -
Authentication
4 -
Authentication Profile
1 -
Authentication Sequence
1 -
automatically acquire commit lock
1 -
Automation
1 -
AWS
3 -
Azure
1 -
Basic Configuration
3 -
Beacon
1 -
Beacon2020
1 -
Best Practices
1 -
Block List
1 -
categories
1 -
certificates
1 -
Chrome Search Extension
1 -
CLI
2 -
CLI Command
1 -
Cloud Identity Engine
1 -
Cloud Security
1 -
Commit Process
1 -
Community News
1 -
Configuration
9 -
Configure Next Generation Firewall
1 -
console
1 -
Cortex
1 -
Cortex Data Lake
1 -
Cortex XDR
3 -
COVID-19
1 -
Cyberelite
9 -
dag
2 -
Default Policy
1 -
Deployment
1 -
discussions
1 -
EDL
2 -
Education
1 -
Education and Training
1 -
Education Services
1 -
Endpoint
1 -
ESXi
1 -
EVENTs
1 -
Expedition
1 -
failover
1 -
FAQ
1 -
Filtering
1 -
Firewall
1 -
gateway
1 -
Gateway Load Balancer
1 -
Gateway Loadbalancer
2 -
gcp
4 -
geolocation
1 -
Getting Started
1 -
Github
1 -
Global Protect
1 -
Global Protect Cookies
1 -
GlobalProtect
6 -
GlobalProtect App
1 -
globalprotect gateway
1 -
GlobalProtect Portal
2 -
google
1 -
google cloud platform
3 -
GWLB
3 -
hash
1 -
High Availability
1 -
How to
1 -
HTTP
1 -
https
1 -
ike
2 -
IoT
2 -
IoT Security
1 -
IPSec
2 -
kerberos
1 -
Kubernetes
1 -
Layer 2
2 -
Layer 3
1 -
Learning
1 -
local user
2 -
log forwarding
1 -
Log4Shell
1 -
Logging
1 -
Logs
1 -
Malware
1 -
Management
8 -
Management & Administration
3 -
MFA
1 -
microsoft
2 -
Microsoft 365
1 -
minemeld
25 -
multi factor authentication
1 -
multi-factor authentication
1 -
network security
31 -
network-security
1 -
Networking
1 -
New Apps
1 -
News
1 -
next-generation firewall
32 -
next-generation firewall. network security
1 -
Next-Generation Firewall. NGFW
2 -
NGFW
17 -
NGFW Configuration
10 -
Objects
2 -
Oracle Cloud
1 -
Oracle Cloud Infrastructure
1 -
OTP
1 -
PA-3200 Series
1 -
pa-440
1 -
PA-800 Series
1 -
pa-820 firewall
1 -
PAN-Os
13 -
PAN-OS 11.0
1 -
PAN-OS 9.1
1 -
Panorama
5 -
Panorama 8.1
1 -
Panorama 9.1
1 -
Panorama Configuration
2 -
Panorama HA
1 -
PCNSA
1 -
PCNSE
1 -
policy
3 -
Prisma
1 -
Prisma Access
4 -
prisma SD-WAN
1 -
QRadar
1 -
Radius
1 -
Ransomware
1 -
region
1 -
Registration
1 -
Release Notes
1 -
SAML
1 -
SASE
2 -
SD-WAN
1 -
Search
1 -
security policy
4 -
security profile
1 -
Security Profiles
2 -
Setup & Administration
5 -
Split Tunneling
1 -
SSL
1 -
SSL Decryption
2 -
SSL Forward Proxy
1 -
SSO
1 -
Support Guidance
1 -
syslog
1 -
Tag
2 -
Tags
2 -
Terraform
1 -
TGW
3 -
threat prevention
2 -
Threat Prevention License
1 -
Threat Prevention Services
1 -
Tips & Tricks
1 -
tls
1 -
Transit Gateway
1 -
Traps
1 -
Troubleshooting
1 -
tunnel
1 -
Tutorial
2 -
Ubuntu 16.04
1 -
upgrade
2 -
upgrade-downgrade
3 -
url categories
1 -
URL Filtering
2 -
URL-Filtering
1 -
User ID Probing
1 -
User-ID
1 -
User-ID & Authentication
1 -
User-ID mapping
1 -
userid
1 -
VM-Series
8 -
VM-Series on AWS
4 -
VPN
2 -
VPNs
3 -
Webinar
1 -
WildFire
2 -
wmi
1 -
XDR
1 -
xml
1 -
XML API
1
- Previous
- Next
