Implementing SSL Forward Proxy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Implementing SSL Forward Proxy

L0 Member

I have a problem!!, I'm implementing SSL Forward Proxy, all the guides say I have to install the certificate in all the clients, isn't there an alternative to this? I have a lot of visitors and I shouldn't have to install a certificate.

I used to have pfSense and this made it transparent.

 

PanOS 9.1

1 accepted solution

Accepted Solutions

L2 Linker

Active Directory and use the CA to issue subordinate CA that the firewall uses, all domain joined machines will trust it.  Doesn't work for your guests, you'll have to have a portal for them to get the certificate so they will trust your firewall. Otherwise it looks like a man-in-the-middle attack to the end user machine.

 

Global Protect client (again you own or at least manage the machine) can also push a certificate to the local store.

View solution in original post

4 REPLIES 4

L7 Applicator

Installing a Certificate generated on the Palo Alto Networks device is a required step, otherwise the clients will get error messages when trying to browse out to the internet as the Firewall will be using that Certificate to re-encrypt the data, and if that certificate is not installed on the client machine,  it will not work.

I cannot comment on how pfSense works.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

L2 Linker

Active Directory and use the CA to issue subordinate CA that the firewall uses, all domain joined machines will trust it.  Doesn't work for your guests, you'll have to have a portal for them to get the certificate so they will trust your firewall. Otherwise it looks like a man-in-the-middle attack to the end user machine.

 

Global Protect client (again you own or at least manage the machine) can also push a certificate to the local store.

@GlennSJ 

Very good point. You can use an Internal CA for that, as long as the firewall uses that Subordinate CA, then that should work without installing certificates on client machines.

Also about GP Client.. good one.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

L7 Applicator

hi @aaltamirano 

The installation of the certificate is required to avoid certificate warnings in the browsers. For visitors I know this could be complicated. But when you do require to decrypt also this traffic there is no way without this step. You could configure captive portal where you would write some information for the visitors about how to do this.

Also with pfsense, cryptographically there is no way to implement TLS decryption "transparently" without this step (except when you have the power of CIA, NSA or some other intelligence agency - but also if they do this with an official CA certificate I would assume they will get caught pretty fast).

For basic URL filtering you do not have to install the certificate on the clients as the firewall sees the domainname in cleartext in the TLS handshake when a client connects to a https website.

  • 1 accepted solution
  • 3825 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!