This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Forward traffic inspection in Palo alto

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Forward traffic inspection in Palo alto

Mohammed_Yasin
L4 Transporter

‎06-29-2020 12:43 AM

Palo Alto and Fortinet are configured as internet edge firewalls.

Dual layers FA Internet ---- Palo Alto ------- Fortigate -------- Trust zone.

 

Outbound traffic is SSL inspected by a Fortinet firewall and the firewall acts as a forward proxy.  All users are using Fortigate certificates in browser-trusted location.

 

Palo alto is configured before FortiGate,

Now Palo alto further inspected the SSL traffic which is coming from Fortinet.

 

In the above case, what can we do to establish the trust from Palo to Forti? Or can I generate the CA certificate from Palo alto and install in Fortigate in this way traffic further inspected in Palo alto? Or do you need to configure SSL forward proxy and generate the intermediate certificate from Palo alto and install it in FortiGate?

0 Likes Likes
4 REPLIES 4

BPry
Cyber Elite
Cyber Elite

‎06-29-2020 08:00 PM

@Mohammed_Yasin,

Wait a minute, you're performing SSL inspection on both boxes? That would have a fairly noticeable performance hit, and you would have little to gain inspecting the traffic again on the Fortigate firewall when it's already being inspecting by your PAN firewalls. Statistics wise, you are inspecting that traffic with a product which is continuously rated higher for malicious traffic detection prior to sending it for additional inspection by an inferior signature engine. 

 

You're going to need to install whatever certificate you are using on both firewalls, on both firewalls. The PAN is going to need to trust the Fortigate CA and the Fortigate is going to need to trust the PAN. In all honesty though, this isn't something I would even attempt to get to work. Pick one box to perform inspection on, and turn the other SSL Inspection engine off. I would personally recommend keeping decryption enabled on the PAN and disabling decryption on the Fortigate, but you should only have one enabled. 

0 Likes Likes

Mohammed_Yasin
L4 Transporter
In response to BPry

‎06-30-2020 02:36 AM

Thank you for your explanation and cooperation
 
My actual question,

  • The outbound traffic from the Inside to the internet (the end-user is using FortiGate certificates in browser-trusted location) 
  • currently, Fortinet is doing the SSL Inspection and acts as a forward proxy for the user internet traffic.
  • Palo alto as a parameter firewall that acts as transparent for the Fortinet inspected Traffics (means current PA doesn’t Inspect the received traffic it’s just forward the received traffic from Fortinet firewall. )

 

My Expectation, as users, brings the Fortinet certificate to browse the trusted sites.

  • The Palo alto to inspect the SSL traffic too, whichever comes from Fortinet firewall,
  • That means users bring the Fortinet certificate from the trust LAN to browse the internet and the Fortinet firewalls perform the SSL Inspection as the first stage level, then it's forward to PA for SSL inspection as a second stage.

 

In short, I am looking for that, Palo alto to do the SSL inspection with the Fortinet certificate which is already inspecting by the Fortinet FW.

 

Please advise me... its achievable or its the right way to do inspection with box.

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite
In response to Mohammed_Yasin

‎06-30-2020 11:40 AM

Hello,

I have always been a big believer in keeping things simple. Yes your traffic will take a hit due to the two layers of decryption. However

 there is no need with a properly configured Palo Alto to have another firewall inline. That said, the users machines are the ones that need to trust the certificates of the traffic that is being decrypted.

 

Regards,

upelister
L3 Networker

‎06-30-2020 10:32 PM

Hello,

 

Maybe, decryption broker option can be helpful.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/decryption/decryption-broker 

UP
0 Likes Likes
  • 3706 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks