SSL inbound inspection cert

Reply
L4 Transporter

SSL inbound inspection cert

Might be silly question, For inbound inspection does the cert has to be a CA.

We use a wildcart so that will have to imported as CA, correct?


Accepted Solutions
Community Team Member

@BPry 

Thanks for chiming In.. yes, when you are doing Inbound SSL decryption, the cert is NOT an CA.. 

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items!

View solution in original post


All Replies
L4 Transporter

Are there any KB articles or resources for import a certificate for inbound SSL inspection. We do have outbound SSL inspection working with certificate from our internal CA.

Community Team Member

The thing about a Decryption Certificate is that it needs to create certificates on the fly as part of the decryption process (Man in the Middle).  You cannot purchase a 3rd Party CA (Certificate Authority) , as there is no way that GoDaddy or anyone else would allow you to create their SSL Certs (what a CA does).  You either have to have an internal CA that you grant a CA to the Firewall to use as its own (And be trusted) or to use the Firewall as the CA.  

Just about every SSL article that we have talks about using the built in CA on the Firewall, but I will see if I can find any that may explain the use of an External CA.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items!
L4 Transporter

@jdelio  Thanks for response..Yes all articles and videos show with self signed cert. But i can't use this self signed cert for our publicly exposed websites, it has to be a cert from external CA. Self signed can work if it was outbound encryption, which we are already performing with cert from our internal CA.

Community Team Member

OK, you are talking about 2 things.. 

1. Outbound SSL Decryption - Where you use an Internal CA as the CA to create certs for internal users so they natively trust the CA cert.

2. Inbound SSL Decryption - Where you have a Web server that you want the firewall to decrypt traffic on behalf of.  

In the second case, you end up using the Certificate from the Web Server.  Essentially Posing AS that Web server, so you can decrypt and encrypt the traffic.    

So, wherever you purchased the Cert for the Web server, you would just install that certificate on the firewall and use that cert for Inbound SSL decryption..   I am sure we have something on that.. 

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items!
Community Team Member

Here is one that I created on SSL decryption

https://live.paloaltonetworks.com/t5/tutorials/how-to-configure-ssl-decryption/ta-p/65073

 

Also, FYI here is the SSL Decryption resource list:

https://live.paloaltonetworks.com/t5/management-articles/ssl-decryption-resource-list/ta-p/70397

 

hope this helps..

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items!
Cyber Elite

@raji_toor,

When setting up inbound inspection the certificate won't be a CA cert, you're just going to import the certificate and the private key. The following documentation will walk you through the setup process. Just keep in mind you'll likely want to limit the decryption rule base entry to a select test IP when getting everything setup so you don't cause any security issues on your public resource. 

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-ssl-inbound-inspectio...

Community Team Member

@BPry 

Thanks for chiming In.. yes, when you are doing Inbound SSL decryption, the cert is NOT an CA.. 

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items!

View solution in original post

L4 Transporter

@BPry and @jdelio Thanks for inputs. I had my head stuck with the way we did outbound decryption which was incorrect for inbound inspection. 

And just FYI the links shared earlier, i don't have access to them.

 

I used the wildcard cert now that we also use for GlobalProtect, but the first attempts are failing. I have opened a new discussion for that.

 

Community Team Member

@raji_toor  You do not have access to those articles?  Do you get an error? everyone should have access to those.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items!
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!