02-21-2017 03:27 AM
Hi,
We're having some issues with the Intermidiate certificate that we're using in one of our servers when trying to connect to it passing trough your firewall (installed in our client's system).
Our certificate provider is GeoTrust Inc. and I've been reading that there may be some problems with your firewall when using it.
Since only 2 users from our client will be connecting to this server; is there a way to generate this certificates manually and install them on their computers?
Any help will be greatly appreciated because I'm a little out of my depth here.
Kind Regards, Guillermo.
02-23-2017 03:38 AM - edited 02-23-2017 03:40 AM
I am a bit confused about your setup/requirements but generally, Palo (when doing decryption) will forward trust and untrust certs to the client. This video helped me to understand same as community:-) Do you have that server available on Internet, if yes this website will help you to check server ssl cert and much more:
https://www.ssllabs.com/ssltest/
02-21-2017 06:12 AM
What type of connection is the PA brokering for your server?
Is the PA performing decryption on your traffic?
02-21-2017 06:16 AM - edited 02-21-2017 06:57 AM
If no decryption implemented Palo wouldn't care about the SSL traffic and the cert used by clien/server as @pulukas mentioned. If you do have a decryption then this post might help you:
02-21-2017 06:53 AM
I just forwarded those 2 questions to our client.
As soon as I get a reply, I'll Post here.
Thank you so much for your help!
02-21-2017 06:55 AM
Than you for the link!
I still don't know about the decryption (waiting on response from client), but I'm gonna check it out just in case.
Than so much you for the response !
02-23-2017 01:26 AM
Hi,
I just got an answer, apparently PA is performing ssl decryption for my client. PA manages the firewall.
I've also been told that whitelisting this certificate "wouldn't be a good idea" so that's not an option to me.
Any ideas on how to proceed?
Thanks in advance.
02-23-2017 03:38 AM - edited 02-23-2017 03:40 AM
I am a bit confused about your setup/requirements but generally, Palo (when doing decryption) will forward trust and untrust certs to the client. This video helped me to understand same as community:-) Do you have that server available on Internet, if yes this website will help you to check server ssl cert and much more:
https://www.ssllabs.com/ssltest/
02-23-2017 07:21 AM - edited 02-23-2017 07:22 AM
Thank you so much!!
I checked our server with the website you linked and it came up with tons of warning messages.
TLS 1.2 -> NO
TLS 1.1 -> NO
TLS 1.0 -> Yes
SSL 3 INSERCURE -> Yes --> I Think this may be it
SSL 2 -> NO
I'll forward the full report to our server provider to see what can be done.
Thank you so much for your help.
02-23-2017 07:26 AM - edited 02-23-2017 07:27 AM
Looks like you need to fix the server certificate and/or exclude it from the decryption.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
