Palo Alto and Fortinet are configured as internet edge firewalls.
Dual layers FA Internet ---- Palo Alto ------- Fortigate -------- Trust zone.
Outbound traffic is SSL inspected by a Fortinet firewall and the firewall acts as a forward proxy. All users are using Fortigate certificates in browser-trusted location.
Palo alto is configured before FortiGate,
Now Palo alto further inspected the SSL traffic which is coming from Fortinet.
In the above case, what can we do to establish the trust from Palo to Forti? Or can I generate the CA certificate from Palo alto and install in Fortigate in this way traffic further inspected in Palo alto? Or do you need to configure SSL forward proxy and generate the intermediate certificate from Palo alto and install it in FortiGate?
Wait a minute, you're performing SSL inspection on both boxes? That would have a fairly noticeable performance hit, and you would have little to gain inspecting the traffic again on the Fortigate firewall when it's already being inspecting by your PAN firewalls. Statistics wise, you are inspecting that traffic with a product which is continuously rated higher for malicious traffic detection prior to sending it for additional inspection by an inferior signature engine.
You're going to need to install whatever certificate you are using on both firewalls, on both firewalls. The PAN is going to need to trust the Fortigate CA and the Fortigate is going to need to trust the PAN. In all honesty though, this isn't something I would even attempt to get to work. Pick one box to perform inspection on, and turn the other SSL Inspection engine off. I would personally recommend keeping decryption enabled on the PAN and disabling decryption on the Fortigate, but you should only have one enabled.
Thank you for your explanation and cooperation
My actual question,
My Expectation, as users, brings the Fortinet certificate to browse the trusted sites.
In short, I am looking for that, Palo alto to do the SSL inspection with the Fortinet certificate which is already inspecting by the Fortinet FW.
Please advise me... its achievable or its the right way to do inspection with box.
I have always been a big believer in keeping things simple. Yes your traffic will take a hit due to the two layers of decryption. However
there is no need with a properly configured Palo Alto to have another firewall inline. That said, the users machines are the ones that need to trust the certificates of the traffic that is being decrypted.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!