06-23-2020 11:30 AM
Might be silly question, For inbound inspection does the cert has to be a CA.
We use a wildcart so that will have to imported as CA, correct?
06-24-2020 08:08 AM
Thanks for chiming In.. yes, when you are doing Inbound SSL decryption, the cert is NOT an CA..
06-23-2020 02:06 PM
Are there any KB articles or resources for import a certificate for inbound SSL inspection. We do have outbound SSL inspection working with certificate from our internal CA.
06-23-2020 02:30 PM
The thing about a Decryption Certificate is that it needs to create certificates on the fly as part of the decryption process (Man in the Middle). You cannot purchase a 3rd Party CA (Certificate Authority) , as there is no way that GoDaddy or anyone else would allow you to create their SSL Certs (what a CA does). You either have to have an internal CA that you grant a CA to the Firewall to use as its own (And be trusted) or to use the Firewall as the CA.
Just about every SSL article that we have talks about using the built in CA on the Firewall, but I will see if I can find any that may explain the use of an External CA.
06-23-2020 02:36 PM
@jdelio Thanks for response..Yes all articles and videos show with self signed cert. But i can't use this self signed cert for our publicly exposed websites, it has to be a cert from external CA. Self signed can work if it was outbound encryption, which we are already performing with cert from our internal CA.
06-23-2020 02:45 PM
OK, you are talking about 2 things..
1. Outbound SSL Decryption - Where you use an Internal CA as the CA to create certs for internal users so they natively trust the CA cert.
2. Inbound SSL Decryption - Where you have a Web server that you want the firewall to decrypt traffic on behalf of.
In the second case, you end up using the Certificate from the Web Server. Essentially Posing AS that Web server, so you can decrypt and encrypt the traffic.
So, wherever you purchased the Cert for the Web server, you would just install that certificate on the firewall and use that cert for Inbound SSL decryption.. I am sure we have something on that..
06-23-2020 02:50 PM
Here is one that I created on SSL decryption
https://live.paloaltonetworks.com/t5/tutorials/how-to-configure-ssl-decryption/ta-p/65073
Also, FYI here is the SSL Decryption resource list:
https://live.paloaltonetworks.com/t5/management-articles/ssl-decryption-resource-list/ta-p/70397
hope this helps..
06-23-2020 09:40 PM
When setting up inbound inspection the certificate won't be a CA cert, you're just going to import the certificate and the private key. The following documentation will walk you through the setup process. Just keep in mind you'll likely want to limit the decryption rule base entry to a select test IP when getting everything setup so you don't cause any security issues on your public resource.
06-24-2020 08:08 AM
Thanks for chiming In.. yes, when you are doing Inbound SSL decryption, the cert is NOT an CA..
06-24-2020 11:44 AM
@BPry and @jdelio Thanks for inputs. I had my head stuck with the way we did outbound decryption which was incorrect for inbound inspection.
And just FYI the links shared earlier, i don't have access to them.
I used the wildcard cert now that we also use for GlobalProtect, but the first attempts are failing. I have opened a new discussion for that.
06-25-2020 07:57 AM
@raji_toor You do not have access to those articles? Do you get an error? everyone should have access to those.
06-25-2020 01:05 PM
That is not right, especially since you are already a customer.
Please allow us to investigate why this is happening.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
