we have import the CA Certificate from Verisign and want to activate the Antivirus function (policies).
But only the
"Trusted Root CA"
is available in the "Certificate Information"
the option "Forward Trust Certificate" is gray and not available.
But that the function what we need.
We will check upload traffic to the servers in the trust lan of the paloalto
System: PaloAlto 500 v5.0.6
Anyone knows this problem.
Info: when we make a self signed CA we can choose the option "Trusted Root CA".
Decryption can be done only by self signed Root CA or Sub-ordinate CA. The reason is this certificate signs, another certificate for the traffic.
Lets say you generate a.crt self signed certificate on the firewall. Now traffic comes for bankofamerica.com on firewall. Now a.cert will sign a certificate for bankofamerica.com and forwards it to user.
Only self signed cert and subordinate cert has this capability to sign another certificate.
As long as I know verisign will not provide you subordinate certificate. Let me know if it helps.
thanks for the two answers, thats help to understand how it works in the firewall.
Now we have make a self signed Root CA and a decrypt like this doc:
but it doesnt work. We want to make Inbound SSL decryption!
The traffic were not decrypted, we don´t see a decrypt flag in the logs of the packets (policies).
And when we make a openssl question from outside to the server we see the ssl cert from the server and not self signed from the firewall.
trusted-root-CA [ int_test_com int_test];
not-valid-before "Aug 27 14:16:26 2014 GMT";
issuer "/C=DE/ST=Bayern/L=Ismaning/O=test AG/CN=int.test.com";
not-valid-after "Aug 27 14:16:26 2015 GMT";
subject "/C=DE/ST=Bayern/L=Ismaning/O=test AG/CN=int.test.com";
public-key "-----BEGIN CERTIFICATE-----
application [ ssl web-browsing];
service [ service-http service-https];
In Inbound Decryption, you get original certificate of the server, its different than outbound decryption. So, you always get server cert, its expected behavior.
Configuration looks good, can I get same configuration in GUI format.
1. Provide certificat in GUI
2. Provide Decryption policy in GUI
3. Provide Traffic log in GUI, which says its not decrypted.
when we import the server certificate, no CA flag is set and we dont can choose "Forward .... Certificate" and "Trusted Root CA" in the informations.
Thats a Certificate from Verisign. And wehn we load any other public root certficates from Verisign and import this ones, its the same....
For what you need it in GUI Format, its the same informations as about cli.
Anyone a Idee?
Actually its pretty simple configuration and work for most of the customer.
Most likely this is issue with the Certificate provided by Verisign. Verisign will not provide root certificate, they will provide sub-ordinate certificate. Make sure that sub-ordinate certificate has private key. If certificate matches this condition, you should be able to select "Trust/untrsuted Forward" Parameters.
For Self Signed Cert Follow bellow mentioned two steps. and it will work.
That should work just fine.
now we have made a self signed certificate from the firewall, thats not working.
For the test we have change the Server cert in a self signed too.
We don´ see any encrypted packets. (in the traffic log or in the cli like: How to View SSL Decryption Information from the CLI
We have make all the steps for inbound ssl decrypt from: How to Implement SSL Decryption
but it doesnt works.
Any special thinks what we must do in the decryption and security policies?
Or any other points we must do? enabling decryption on a single tab or so?
Does server uses certificate SSL_Test?
Most likely answer is NO, thats why inbound SSL decryption is not working.
You are supposed to upload same certificate to firewall which is used by server. If you dont get option for "Forward Trust/Untrust" than its fine.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!