Forward traffic inspection in Palo alto

Reply
Highlighted
L3 Networker

Forward traffic inspection in Palo alto

Palo Alto and Fortinet are configured as internet edge firewalls.

Dual layers FA Internet ---- Palo Alto ------- Fortigate -------- Trust zone.

 

Outbound traffic is SSL inspected by a Fortinet firewall and the firewall acts as a forward proxy.  All users are using Fortigate certificates in browser-trusted location.

 

Palo alto is configured before FortiGate,

Now Palo alto further inspected the SSL traffic which is coming from Fortinet.

 

In the above case, what can we do to establish the trust from Palo to Forti? Or can I generate the CA certificate from Palo alto and install in Fortigate in this way traffic further inspected in Palo alto? Or do you need to configure SSL forward proxy and generate the intermediate certificate from Palo alto and install it in FortiGate?

Highlighted
Cyber Elite

@Mohammed_Yasin,

Wait a minute, you're performing SSL inspection on both boxes? That would have a fairly noticeable performance hit, and you would have little to gain inspecting the traffic again on the Fortigate firewall when it's already being inspecting by your PAN firewalls. Statistics wise, you are inspecting that traffic with a product which is continuously rated higher for malicious traffic detection prior to sending it for additional inspection by an inferior signature engine. 

 

You're going to need to install whatever certificate you are using on both firewalls, on both firewalls. The PAN is going to need to trust the Fortigate CA and the Fortigate is going to need to trust the PAN. In all honesty though, this isn't something I would even attempt to get to work. Pick one box to perform inspection on, and turn the other SSL Inspection engine off. I would personally recommend keeping decryption enabled on the PAN and disabling decryption on the Fortigate, but you should only have one enabled. 

Highlighted
L3 Networker

Thank you for your explanation and cooperation
 
My actual question,

  • The outbound traffic from the Inside to the internet (the end-user is using FortiGate certificates in browser-trusted location) 
  • currently, Fortinet is doing the SSL Inspection and acts as a forward proxy for the user internet traffic.
  • Palo alto as a parameter firewall that acts as transparent for the Fortinet inspected Traffics (means current PA doesn’t Inspect the received traffic it’s just forward the received traffic from Fortinet firewall. )

 

My Expectation, as users, brings the Fortinet certificate to browse the trusted sites.

  • The Palo alto to inspect the SSL traffic too, whichever comes from Fortinet firewall,
  • That means users bring the Fortinet certificate from the trust LAN to browse the internet and the Fortinet firewalls perform the SSL Inspection as the first stage level, then it's forward to PA for SSL inspection as a second stage.

 

In short, I am looking for that, Palo alto to do the SSL inspection with the Fortinet certificate which is already inspecting by the Fortinet FW.

 

Please advise me... its achievable or its the right way to do inspection with box.

Highlighted
Cyber Elite

Hello,

I have always been a big believer in keeping things simple. Yes your traffic will take a hit due to the two layers of decryption. However

 there is no need with a properly configured Palo Alto to have another firewall inline. That said, the users machines are the ones that need to trust the certificates of the traffic that is being decrypted.

 

Regards,

Highlighted
L2 Linker

Hello,

 

Maybe, decryption broker option can be helpful.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/decryption/decryption-broker 

UP
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!