Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
12-26-2024 05:33 AM
Hello, newbie here. One of our clients asked me:
"We have an exchange server which is on site. We need to renew the ssl certificate, I was told that if the Palo Alto firewall performs deep packet inspection, we need to supply the ssl certificate to the firewall.
if it is so, we need to coordinate with my local admin to install the ssl certificate on the server and you will need to do your setup on the firewall, we need to plan a meeting..."
As I read the SSL Inbound Inspection document, the client is right.
May I know the thoughts of those who actually configured a Deep Packet Inspection on their Palo Alto firewall?
Thanks
01-05-2025 04:54 PM
Hello @N.MANTUA
yes, this is correct understanding. Once Exchange server administrator renews certificate you will have to export that certificate from server and import it to Firewall to ensure inbound decryption works after server certificate renewal.
Here is video tutorial for setup of inbound SSL decryption: Video Tutorial: How to Configure SSL Inbound Inspection on the Palo Alto Networks Firewall.
After you have certificate imported in Firewall you can easily replace certificate by selecting it from drop down list under: Options > Certificate. Alternatively if you can have certificate in advance you can pre-prepare by cloning existing decryption policy and use new certificate, then you can position the policy below existing one and flip the order after server admin renews certificate.
Kind Regards
Pavel
12-27-2024 10:18 AM
Hello,
I would first check to see if its enabled for that traffic. Go to Policies on the Top menu then Decryption on the Left Menu. Check here to see if inbound inspection is enabled. It would be something like Source Zone Untrust, Destination zone Trust. Could also be listed by IP address or Object name of the Exchange server.
Hope this helps.
01-05-2025 04:54 PM
Hello @N.MANTUA
yes, this is correct understanding. Once Exchange server administrator renews certificate you will have to export that certificate from server and import it to Firewall to ensure inbound decryption works after server certificate renewal.
Here is video tutorial for setup of inbound SSL decryption: Video Tutorial: How to Configure SSL Inbound Inspection on the Palo Alto Networks Firewall.
After you have certificate imported in Firewall you can easily replace certificate by selecting it from drop down list under: Options > Certificate. Alternatively if you can have certificate in advance you can pre-prepare by cloning existing decryption policy and use new certificate, then you can position the policy below existing one and flip the order after server admin renews certificate.
Kind Regards
Pavel
01-06-2025 09:40 AM
Thanks for the advice. That's a good place to check.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
