we have import the CA Certificate from Verisign and want to activate the Antivirus function (policies).
But only the
"Trusted Root CA"
is available in the "Certificate Information"
the option "Forward Trust Certificate" is gray and not available.
But that the function what we need.
We will check upload traffic to the servers in the trust lan of the paloalto
System: PaloAlto 500 v5.0.6
Anyone knows this problem.
Info: when we make a self signed CA we can choose the option "Trusted Root CA".
Decryption can be done only by self signed Root CA or Sub-ordinate CA. The reason is this certificate signs, another certificate for the traffic.
Lets say you generate a.crt self signed certificate on the firewall. Now traffic comes for bankofamerica.com on firewall. Now a.cert will sign a certificate for bankofamerica.com and forwards it to user.
Only self signed cert and subordinate cert has this capability to sign another certificate.
As long as I know verisign will not provide you subordinate certificate. Let me know if it helps.
thanks for the two answers, thats help to understand how it works in the firewall.
Now we have make a self signed Root CA and a decrypt like this doc:
but it doesnt work. We want to make Inbound SSL decryption!
The traffic were not decrypted, we don´t see a decrypt flag in the logs of the packets (policies).
And when we make a openssl question from outside to the server we see the ssl cert from the server and not self signed from the firewall.
trusted-root-CA [ int_test_com int_test];
not-valid-before "Aug 27 14:16:26 2014 GMT";
issuer "/C=DE/ST=Bayern/L=Ismaning/O=test AG/CN=int.test.com";
not-valid-after "Aug 27 14:16:26 2015 GMT";
subject "/C=DE/ST=Bayern/L=Ismaning/O=test AG/CN=int.test.com";
public-key "-----BEGIN CERTIFICATE-----
application [ ssl web-browsing];
service [ service-http service-https];
In Inbound Decryption, you get original certificate of the server, its different than outbound decryption. So, you always get server cert, its expected behavior.
Configuration looks good, can I get same configuration in GUI format.
1. Provide certificat in GUI
2. Provide Decryption policy in GUI
3. Provide Traffic log in GUI, which says its not decrypted.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!