03-20-2014 11:35 AM
Hi,
I see the Palo Alto firewalls can do SSL decryption inbound and outbound in order to inspect the contents for threats is there an advantage to doing this on the palo firewall as opposed to the ironport web proxy?
It looks to me like a good idea to do outbound SSL on the proxy as that would see the traffic first but inbound ssl to our servers on the firewall?
Thanks for any opinions,
Steve.
03-20-2014 12:11 PM
Hello sworton,
The discussion here falls to 2 points
1> Where to do the proxy task
2> Which direction are we addressing ie client to server(c2s) or server to client (s2c)
If we do the outbound traffic decryption on proxy and not on the firewall then all the traffic originating from inside network going to outside network is not decrypted to see underlying threat or identify the apps. So there is no visibility on the firewall.
If the traffic originates from outside then that holds good for the inbound decryption on the PAN which takes care as said above and you are fine for this direction.
So it all depends where the traffic originates from the firewall point that is inside network or outside and should we decrypt that traffic. If it is to be seen on both directions then both inbound and outbound decryption should be done.
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
