Tips & Tricks: SSL Forward Proxy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member
No ratings

In today's digital world, where encryption is all around us, SSL decryption becomes a real superhero in the fight against hidden threats and bolstering network security. Luckily, Palo Alto Networks Next-Generation Firewall comes to the rescue with its powerful SSL decryption capabilities. With these tools, organizations can gain insight into encrypted traffic, spot potential risks, and take proactive measures to keep their network safe and sound. In this Tips & Tricks, I'm going to walk you through the steps of enabling SSL inbound decryption. Let's dive in!

 

In Forward-Proxy mode, PAN-OS will intercept outbound SSL traffic matched to a decryption policy. The firewall acts as a proxy (Man In The Middle) initiating an SSL session with the destination server. During this process, the firewall presents a certificate signed by an Enterprise CA or third-party CA. 

 

 

Screen Shot 2023-05-22 at 12.22.07 AM.png

Configuring SSL Forward Proxy 

  1. Generate or import SSL/TLS certificates:

    • Generate a self-signed certificate or import a trusted third-party certificate for SSL decryption. You can import certificates under Device > Certificate Management > Certificates. 

                 Note: If you are using a certificate signed by a third-party CA, will have to import the public AND private key (Key                       Pair).

  1. Configure decryption policies:

    • Go to Policies > Decryption.
    • Click on the "Add" button to create a new decryption policy.
    • Define the decryption policy based on source and destination zones, addresses, applications, and users.
  2. Set up SSL decryption profiles:

    • Under Policies > Decryption, click on "SSL Decryption Profiles."
    • Click on the "Add" button to create a new SSL decryption profile.
    • Configure settings such as SSL protocol versions, encryption ciphers, certificate selection, and authentication requirements.
  3. Configure SSL decryption rules:

    • Under Policies > Decryption, click on "SSL Decryption Rules."
    • Click on the "Add" button to create a new SSL decryption rule.
    • Define the rule conditions based on source and destination zones, addresses, applications, or users.
    • Select the SSL decryption profile you created in the previous step.
  4. Enable SSL decryption on security policies:

    • Under Policies > Security, select the security policy that you want to enable SSL decryption for.
    • Click on the "Actions" tab.
    • Enable the "Decryption" option and select the SSL decryption rule you created.
  5. Fine-tune SSL decryption settings:

    • Under Device > Setup > Content-ID > SSL Decryption Settings, you can configure additional SSL decryption settings.
    • Customize options such as exclusions for specific websites or applications, trusted root CA certificates, or revocation checking options.
  6. Monitor and troubleshoot:

    • Monitor the firewall logs and review the decrypted traffic logs to ensure that the SSL decryption process is functioning correctly.
    • Use the SSL Decryption Logs to view detailed information about decrypted SSL sessions and any potential issues.

 

There you have it! With SSL decryption on your side, you'll be proactive in protecting your network, detecting potential risks, and keeping your organization safe from ever-evolving cyber threats. Stay vigilant and protect yourself online!

 

 

Thanks for reading! @JayGolf out. 

Rate this article:
Comments
L6 Presenter

Nice !

Community Team Member

Thanks, @nikoolayy1 !

L1 Bithead

@JayGolf , do you know if the SSL Forward Trust cert can be from public CA such as GoDaddy? Or it can only be self-signed and Enterprise CA? Thank you in advance.

 

L0 Member

On 10.2.x and cannot find this setting.  Has this moved?

  1. Fine-tune SSL decryption settings:

    • Under Device > Setup > Content-ID > SSL Decryption Settings, you can configure additional SSL decryption settings.
    • Customize options such as exclusions for specific websites or applications, trusted root CA certificates, or revocation checking options.

If you have 2 Forward trust certs, how do you select.  The example is we have a current CA that is going to be shutdown (Win2012) and use a new CA (2022) and want to tell the PA to use the new Forward Trust Cert. 

  • 4682 Views
  • 4 comments
  • 2 Likes
  • 270 Subscriptions
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎05-22-2023 11:05 AM
Updated by: