I turned on TLS (let's start calling it what it is) decryption for our IT personnel only a couple of years ago. It was considered a pilot and I always planned to work with our legal department to craft a policy and start rolling it out to the broader organization; however, it seems like every time I get ready to do that, one of our IT users reports a website that is blocked by the PAN NGFW (running PAN-OS 6.1.10) due to a certificate issue where the status is "untrusted".
In 100% of these cases, the certificate is untrusted because the web server hosting the site in question doesn't have the intermediate certificate installed and it is impossible to reach the site unless I exclude if from decryption.
Sure, I could just mark the site as excluded from decryption but I tend to try to get the external organization to fix the problem. This has been a huge burden. Despite the fact that I bundle significant evidence of the issue from publicly available TLS testing tools that clearly explain the issue, most external organizations are initially incredulous that they have a configuration problem. It's the same thing every time: they say we are the only ones reporting any sort of access issue and that it must be something on our side. It can be several weeks of back and forth before they finally understand the issue and fix it. In some cases, they simply refuse to fix it or I can't successfully navigate their support organization to get to someone who understands the issue and has the power to do anything about it.
I can't imagine what it would be like if I ended up rolling TLS decryption out to the entire organization. How many of these issues would our users encounter on a daily basis? How many painful discussions would I need to have with first level support personnel telling me reboot my computer and clear cookies followed painful discussions with IT managers or systems people that say no one else has the problem but us?
What is your experience in rolling out TLS decryption to a wide user base and dealing with third party web servers missing the intermediate certificate? Do I have something configured incorrectly that is causing me all of this grief?
In general - yes, reasonable sites should have proper and trusted certificate warning. You can probably play around with decryption policies and create a list of sites (with URL category) which should be accessed by users, but uses untrusted cert and, when they are passing via Palo, resign them with your trusted CA. That way users will still be able to access these sites, they will not have cert warning and you will control the list of such a sites.
Browser vs Palo thing - I guess it imay be a matter of trusted CA list. Device -> Certificates -> Default Trusted Certificate Authorities. They probably differ, so that may impact the result.
No, that's incorrect. PAN-OS trusts the root certificates but, unlike how browsers handle the situation, it doesn't trust the host certificate unless the host also has the intermediate certificate installed.
For such sites, users not being decrypted do not experience any certificate warning at all because their browsers process the certificate chain differently (I believe they use a different mechanism to acquire the missing intermediate certificate).
The challenge is how PAN-OS handles the missing intermediate certificate vs. how browsers handle it.
6 years on and this is still an issue - while the server owner should be responsible for serving the intermediate cert, most modern browsers find missing certs from the AIA extension (https://www.rfc-editor.org/rfc/rfc5280#section-220.127.116.11) making broken chains transparent to end users.
In 2022, a PAN-OS 10.1 device with TLS decryption will still not trust a broken chain making the user experience resulting in sites that were previously verified and trusted being inaccessible to users without either creating exceptions or installing intermediate certs in PAN-OS. Or forcing the server owner to fix it. Neither of which anyone wants to manage.
PAN-OS needs to provide the option to fetch intermediates in the same manner it does CRLs (from certificate extensions) and use the CRL service route.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!