How to protect an https webserver in the dmz with vulnerability protection ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to protect an https webserver in the dmz with vulnerability protection ?

L1 Bithead

Hi guys,

the vulnerability protection is a really nice feature of the PA.If the PA is able to take a look at the traffic

this should work fine.

But how does it work if the webserver in the dmz only accepts https connections ? So the possible attacker connects with https to the webserver.

I guess i need to terminate the ssl tunnel at the pa to be able to use the vulnerability protection in this case ?

Many thanks,

Christian

1 accepted solution

Accepted Solutions

L6 Presenter

Yes, you need to enable SSL termination in your PA device in order to inspect the encrypted https traffic.

SSL termination can work in (currently) two modes:

SSL-proxy or SSL-intercept (if I remember correctly).

SSL-proxy is mostly used when you have a bunch of clients you wish to protect (like against bad things at Internet). The clients will then have the cert the PA will use for termination as a trusted CA and accept that the https is made up by the PA instead of the real server.

SSL-proxy will setup one SSL session from PA to destination and one SSL from PA to client.

SSL-intercept is mostly used when you have one (or more) servers which you wish to protect against (for example) bad things from Internet. In this case you have the private key of the server and can import this to your PA device.

SSL-intercept will then be able to sniff the traffic but the client will have its session directly with the server.

View solution in original post

4 REPLIES 4

L6 Presenter

Yes, you need to enable SSL termination in your PA device in order to inspect the encrypted https traffic.

SSL termination can work in (currently) two modes:

SSL-proxy or SSL-intercept (if I remember correctly).

SSL-proxy is mostly used when you have a bunch of clients you wish to protect (like against bad things at Internet). The clients will then have the cert the PA will use for termination as a trusted CA and accept that the https is made up by the PA instead of the real server.

SSL-proxy will setup one SSL session from PA to destination and one SSL from PA to client.

SSL-intercept is mostly used when you have one (or more) servers which you wish to protect against (for example) bad things from Internet. In this case you have the private key of the server and can import this to your PA device.

SSL-intercept will then be able to sniff the traffic but the client will have its session directly with the server.

the name is "SSL Inbound Inspection" Smiley Happy ..many thanks for your hints which directed me in this direction !

L3 Networker

I am wanting to do this.  So I assume I upload certs and keys for our web servers to the FW.  What do you do if there is an intermediate cert for those certs.  Do you upload that as well? Thanks.

I dont think you need to upload the intermediate or CA certs because they are only used to verify the ssl. The PA doesnt verify the ssl when you do ssl inbound inspection - it will just sit there and sniff the ssl traffic and decrypt it using the serverkey.

  • 1 accepted solution
  • 3112 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!