09-16-2019 06:09 AM - edited 09-16-2019 06:10 AM
Hello Guys ...
After enabling Decryption, I am facing issues while accessing some websites, most of the websites are working fine but some websites are not opening and i have to manually import the certificate of the website into Palo Alto trusted CA. Then only the websites are opening. Is there a way to update Default Trusted Certificate Authority?
Some certificates i manually imported are TrustWave & DigiCert.
Appreciate response from you guys.
Thanks in advance
11-08-2019 06:56 AM - edited 11-08-2019 06:59 AM
Hmmm, sounds like your configuration is not how the feature should be implemented.
There are 2 ways to do Decryption (easy and hard).. just kidding... (SSL Forward Proxy and Inbound Inspection)
Let's talk about Inbound Inspection first....
If your company has a DMZ (example) or allows the Internet users to access servers (web server, mail server, sharepoint, etc), then with Inbound Inspection configuration (read the docs for details), you would take YOUR certs, from your web servers and put them onto the FW, so that when EXTERNAL users come to browse your DMZ/INTERNAL servers, your FW is configured to decrypt using the certs purchased by your company. (So now your web/email/ftp/sharepoint/whatever certs are on your FW)
It is a different configuration for SSL Forward Proxy.
You should NOT be using the public certs from the Internet and loading them onto your FW. (that is used for Inbound Inspection)
What you should be doing, is creating a CSR (cert signing request) and having your enterprise (Domain Controller) sign the cert and put onto the FW.
Now, all of your users (who are part of the domain) will see the cert (as signed by the enterprise CA as valid)
Challenges are presented in that FireFox browsers do not easily allow GPO or SCCM to push/import this cert.
You would need to "sneakernet" the cert onto ppl's computers via USB drive, email cert to users/put on a File Share, along with directions on how to import the cert into Firefox/Safari/Opera/3rd party browsers)
There is documentation on how to roll out Decryption, and it appears you have a great start, there is some fine tune tweaking that may need to be done.
OR.... I could be misunderstanding everything, and agreeing that there are going to be some Untrusted Cert Authorities that are not listed in the PANW firewall. If the vendor has an updated/accurate list of all trusted cert authorities, are you 100% sure that the untrusted/unknown cert is really to be trusted... make sense?
What other questions can we answer for you?
11-10-2019 02:51 PM
Earlier we faces some issues with our SSL Decryption and logged a TAC case for this.
Below are some excerpts from the case that might assist you with your query.
The "DigiCert Baltimore Root" is not available in trusted root CAs in the Palo Alto Devices as you mentioned.
I checked further and found out that "DigiCert Baltimore Root" is not even supported on :-
1) Windows - I have checked using Certificate Manager on Windows PC.
2) MAC OS - https://support.apple.com/en-us/HT208127
3) IOS - https://support.apple.com/en-sg/HT208125
Hence, even if decryption is disabled, you would be facing the same issue as "DigiCert Baltimore Root" is not a trusted CA even in Windows or MAC.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!