02-15-2022 06:39 AM
I am rolling out SSL Decryption for the wired subnets at my office. It's working great for the users since their laptops and devices are on the domain and trust our private CA which is used as the forward-trust cert. I'm running into issues with other devices plugged into the network like copiers, printers, smart TV's. These devices are on the wired network and connect outbound to the internet, but do not trust the forward-trust cert as we can not install the cert on these devices. When these IoT type devices connect outbound for whatever reason they get an error since they don't trust the forward-trust cert, which is our private CA.
It seems like the options are below:
Use a public CA as the forward trust cert which these devices should already trust
Exclude these non-domain devices by source-ip address in the decryption policy
Move these devices to a separate subnet that is excluded in the decryption policy.
Is there a setting in the Palo that says " If client does NOT trust forward-trust cert, then Do Not Decrypt?" This would really help as I'd rather have encrypted traffic on my network then break devices throughout the building.
Thanks for your help with this.
02-15-2022 07:21 AM
Hi @thompso104,
"Use a public CA as the forward trust cert which these devices should already trust" - this is very common misundertanding that I a met quite often... You cannot use public CA for forwarding trust certificate.
For Forwarding Trust Cert to work, you need the private key for that certificate. No public CA will give you their keys, because there will be nothing that can stop you and start signing certificates left and right from their behalf.
Unfortunately the only possible solution in a nutshell is to exclude the traffic from those devices from decryption.
There countless posible ways to do it, but it up to you and your environment to choose the best one.
"Is there a setting in the Palo that says " If client does NOT trust forward-trust cert, then Do Not Decrypt?"" - even if there is such configuration, it will make the whole decryption pointless. Nothing can stop your users to delete your internal CA and bypass the decryption. It doesn't make lot of sense to have such configuration.
02-15-2022 07:21 AM
Hi @thompso104,
"Use a public CA as the forward trust cert which these devices should already trust" - this is very common misundertanding that I a met quite often... You cannot use public CA for forwarding trust certificate.
For Forwarding Trust Cert to work, you need the private key for that certificate. No public CA will give you their keys, because there will be nothing that can stop you and start signing certificates left and right from their behalf.
Unfortunately the only possible solution in a nutshell is to exclude the traffic from those devices from decryption.
There countless posible ways to do it, but it up to you and your environment to choose the best one.
"Is there a setting in the Palo that says " If client does NOT trust forward-trust cert, then Do Not Decrypt?"" - even if there is such configuration, it will make the whole decryption pointless. Nothing can stop your users to delete your internal CA and bypass the decryption. It doesn't make lot of sense to have such configuration.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
