05-24-2012 07:25 AM
Hi guys,
the vulnerability protection is a really nice feature of the PA.If the PA is able to take a look at the traffic
this should work fine.
But how does it work if the webserver in the dmz only accepts https connections ? So the possible attacker connects with https to the webserver.
I guess i need to terminate the ssl tunnel at the pa to be able to use the vulnerability protection in this case ?
Many thanks,
Christian
05-24-2012 11:50 AM
Yes, you need to enable SSL termination in your PA device in order to inspect the encrypted https traffic.
SSL termination can work in (currently) two modes:
SSL-proxy or SSL-intercept (if I remember correctly).
SSL-proxy is mostly used when you have a bunch of clients you wish to protect (like against bad things at Internet). The clients will then have the cert the PA will use for termination as a trusted CA and accept that the https is made up by the PA instead of the real server.
SSL-proxy will setup one SSL session from PA to destination and one SSL from PA to client.
SSL-intercept is mostly used when you have one (or more) servers which you wish to protect against (for example) bad things from Internet. In this case you have the private key of the server and can import this to your PA device.
SSL-intercept will then be able to sniff the traffic but the client will have its session directly with the server.
05-24-2012 11:50 AM
Yes, you need to enable SSL termination in your PA device in order to inspect the encrypted https traffic.
SSL termination can work in (currently) two modes:
SSL-proxy or SSL-intercept (if I remember correctly).
SSL-proxy is mostly used when you have a bunch of clients you wish to protect (like against bad things at Internet). The clients will then have the cert the PA will use for termination as a trusted CA and accept that the https is made up by the PA instead of the real server.
SSL-proxy will setup one SSL session from PA to destination and one SSL from PA to client.
SSL-intercept is mostly used when you have one (or more) servers which you wish to protect against (for example) bad things from Internet. In this case you have the private key of the server and can import this to your PA device.
SSL-intercept will then be able to sniff the traffic but the client will have its session directly with the server.
05-25-2012 05:06 AM
the name is "SSL Inbound Inspection" 
..many thanks for your hints which directed me in this direction !
07-05-2012 04:03 PM
I am wanting to do this. So I assume I upload certs and keys for our web servers to the FW. What do you do if there is an intermediate cert for those certs. Do you upload that as well? Thanks.
07-06-2012 05:12 AM
I dont think you need to upload the intermediate or CA certs because they are only used to verify the ssl. The PA doesnt verify the ssl when you do ssl inbound inspection - it will just sit there and sniff the ssl traffic and decrypt it using the serverkey.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
