Palo alto HTTPS decryption?
Showing results for 
Search instead for 
Did you mean: 

Palo alto HTTPS decryption?

L2 Linker

Hi all,


I am using PA-850. I configure to decrypt HTTPS, and use AD group policy to install certificates on client, it works well with AD users. but we have other situation that client is not AD users. do we have any ways to redirect client to the URL if client is not trusted certificates with firewall? then they must install the certificate if they want to install the internet.





L2 Linker

Not that I'm aware of.  If these are non-AD-joined, you probably won't have User-ID learned.  If your AD computers are in User-ID OK, you could potentially use a custom captive portal to indicate you need to trust a certificate...but I'd usually plan on captive portals over SSL too, so I'm not certain that will help unless you get a publicly trusted certificate issued for the captive portal, just to point them to a page where they can install/trust your CA certificate (which feels a little kludgy to me, but maybe could work in your situation.)

I don't know of an elegant way to distribute the certificates from within the Palo Alto framework.  I'm used to distributing those through other means of endpoint management.  Even in Windows AD-joined environments, you still need system endpoint management to get certain browsers (e.g. Firefox) or the keystores for Java JRE's to trust your CA.  The firewall is not the best approach to do this distribution, IMHO.

L2 Linker



There is no simple solution to this issuer.

The first thing you should consider is not having 3rd party computers on your trusted network. Typically machines that are not part of your domain are not corporate assets and should be restricted to a guest network, and the guest network will not have SSL decrytion. If this 3rd party needs access to an internal resource, there are VDI solutions from companies like Citrix and vmware. So the 3rd party would connect to the guest network, then access a VDI which has all the certificates and access they would need.


There are also onboarding technologies that can push a trusted root certificate to a machine that is not part of the domain. 

You can also look at a NAC solution that will determine if the machine is a corporate asset or not. If it is a corporate asset, it gets put into vlan X and SSL decryption applies to vlan X. If not a coporate asset, it gets put into vlan Y which doesn't have ssl decryption.

Hi Mrzepa2,


I configured one VLAN for guest that client is non-AD-users. and configured without SSL decryption for that VLAN, then client could go internet without SSL errors. but if we do like that, we couldnot monitor if client go to https website.  so we are thinking about the other soluction for this.


could you please give me some more information about "There are also onboarding technologies that can push a trusted root certificate to a machine that is not part of the domain."

@Chivas wrote:

Hi Mrzepa2,


we couldnot monitor if client go to https website.

Are you talking here about antivirus/vulnerability scanning or would URL filtering be enough? If URL filtering is enough, then URL filtering is still possible without decryption based on the domainname.

yes, I am talking about virus, malware,.. if the client download the file from https, then palo alto could not detect it.




You may want to look into producrts like ForeScout's CounterAct or Aruba Clearpass to deal with 3rd party machines. These are both NAC solutions so they are going to be a lot more involved to set up. But I still say the best solution is to not allow 3rd party machines onto your internal network for the exact reason you are giving. Besides the SSL decryption issue, how do you know they have malware protection installed? Or how do you know if their system is properly patched? The best solution is to isolate them into a guest security zone, and then you don't have to worry about SSL decryption for 3rd party devices.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!