This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

SSL Inbound Decryption and PA

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL Inbound Decryption and PA

MP18
Cyber Elite
Cyber Elite

‎04-18-2020 09:50 PM - edited ‎04-18-2020 10:56 PM

Hi Everyone,

 

Learned something new from you today.

We are going to enable SSL decryption for Inbound traffic coming from Internet to our web servers.

Need to know when does PA intercept the traffic coming form Internet  to the web server which is hosting the website?

 

During 3 way TCP handshake or when first Data packet comes?

 

Regards

MP

 

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
3 REPLIES 3

BPry
Cyber Elite
Cyber Elite

‎04-18-2020 10:31 PM

This is one of my favorite questions, because the answer is truly that it depends on the type of connection.

 

For RSA keys, the firewall is able to inspect the traffic without terminating the connection. As the connection crosses the firewall it's going to make a copy of the session and decrypt it so the firewall can apply the appropriate policy to the traffic. 

 

For PFS keys using DHE or ECDHE, the firewall has to proxy the connection between the client and the server. Due to the way the key is generated, we can't transparently sit in that connection even with the certificate and the private key installed. So the firewall is going to create a connection from the client to the firewall, and the firewall to the server to proxy that connection. 

MP18
Cyber Elite
Cyber Elite
In response to BPry

‎04-18-2020 10:54 PM

 

Hi Bpry,

 

If the Connection is using RSA keys then we should not see checked decrypted flag under traffic logs right?

And when the connection is using DHE we should see decrypted flag checked under the traffic logs right?

 

So this way we can see if connection is RSA or DHE right?

 

Regards

MP

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

MP18
Cyber Elite
Cyber Elite
In response to BPry

‎04-20-2020 09:38 AM

Also i tested this on port 443 it  always shows traffic as decrypted.

is this default behaviour?

 

How can i check if client is using RSA ?

doing pcap on the PA

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 2215 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks