08-11-2020 01:41 PM - edited 08-11-2020 01:47 PM
I have a problem!!, I'm implementing SSL Forward Proxy, all the guides say I have to install the certificate in all the clients, isn't there an alternative to this? I have a lot of visitors and I shouldn't have to install a certificate.
I used to have pfSense and this made it transparent.
PanOS 9.1
08-11-2020 02:11 PM
Active Directory and use the CA to issue subordinate CA that the firewall uses, all domain joined machines will trust it. Doesn't work for your guests, you'll have to have a portal for them to get the certificate so they will trust your firewall. Otherwise it looks like a man-in-the-middle attack to the end user machine.
Global Protect client (again you own or at least manage the machine) can also push a certificate to the local store.
08-11-2020 02:08 PM
Installing a Certificate generated on the Palo Alto Networks device is a required step, otherwise the clients will get error messages when trying to browse out to the internet as the Firewall will be using that Certificate to re-encrypt the data, and if that certificate is not installed on the client machine, it will not work.
I cannot comment on how pfSense works.
08-11-2020 02:11 PM
Active Directory and use the CA to issue subordinate CA that the firewall uses, all domain joined machines will trust it. Doesn't work for your guests, you'll have to have a portal for them to get the certificate so they will trust your firewall. Otherwise it looks like a man-in-the-middle attack to the end user machine.
Global Protect client (again you own or at least manage the machine) can also push a certificate to the local store.
08-11-2020 02:19 PM
Very good point. You can use an Internal CA for that, as long as the firewall uses that Subordinate CA, then that should work without installing certificates on client machines.
Also about GP Client.. good one.
08-12-2020 12:08 AM
hi @aaltamirano
The installation of the certificate is required to avoid certificate warnings in the browsers. For visitors I know this could be complicated. But when you do require to decrypt also this traffic there is no way without this step. You could configure captive portal where you would write some information for the visitors about how to do this.
Also with pfsense, cryptographically there is no way to implement TLS decryption "transparently" without this step (except when you have the power of CIA, NSA or some other intelligence agency - but also if they do this with an official CA certificate I would assume they will get caught pretty fast).
For basic URL filtering you do not have to install the certificate on the clients as the firewall sees the domainname in cleartext in the TLS handshake when a client connects to a https website.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
