SSL inbound inspection cert

Reply
Highlighted
L4 Transporter

SSL inbound inspection cert

Might be silly question, For inbound inspection does the cert has to be a CA.

We use a wildcart so that will have to imported as CA, correct?


Accepted Solutions
Highlighted
Community Team Member

Re: SSL inbound inspection cert

@BPry 

Thanks for chiming In.. yes, when you are doing Inbound SSL decryption, the cert is NOT an CA.. 

Stay Secure,
Joe
End of line

View solution in original post


All Replies
Highlighted
L4 Transporter

Re: SSL inbound inspection cert

Are there any KB articles or resources for import a certificate for inbound SSL inspection. We do have outbound SSL inspection working with certificate from our internal CA.

Highlighted
Community Team Member

Re: SSL inbound inspection cert

The thing about a Decryption Certificate is that it needs to create certificates on the fly as part of the decryption process (Man in the Middle).  You cannot purchase a 3rd Party CA (Certificate Authority) , as there is no way that GoDaddy or anyone else would allow you to create their SSL Certs (what a CA does).  You either have to have an internal CA that you grant a CA to the Firewall to use as its own (And be trusted) or to use the Firewall as the CA.  

Just about every SSL article that we have talks about using the built in CA on the Firewall, but I will see if I can find any that may explain the use of an External CA.

Stay Secure,
Joe
End of line
Highlighted
L4 Transporter

Re: SSL inbound inspection cert

@jdelio  Thanks for response..Yes all articles and videos show with self signed cert. But i can't use this self signed cert for our publicly exposed websites, it has to be a cert from external CA. Self signed can work if it was outbound encryption, which we are already performing with cert from our internal CA.

Highlighted
Community Team Member

Re: SSL inbound inspection cert

OK, you are talking about 2 things.. 

1. Outbound SSL Decryption - Where you use an Internal CA as the CA to create certs for internal users so they natively trust the CA cert.

2. Inbound SSL Decryption - Where you have a Web server that you want the firewall to decrypt traffic on behalf of.  

In the second case, you end up using the Certificate from the Web Server.  Essentially Posing AS that Web server, so you can decrypt and encrypt the traffic.    

So, wherever you purchased the Cert for the Web server, you would just install that certificate on the firewall and use that cert for Inbound SSL decryption..   I am sure we have something on that.. 

Stay Secure,
Joe
End of line
Highlighted
Community Team Member

Re: SSL inbound inspection cert

Here is one that I created on SSL decryption

https://live.paloaltonetworks.com/t5/tutorials/how-to-configure-ssl-decryption/ta-p/65073

 

Also, FYI here is the SSL Decryption resource list:

https://live.paloaltonetworks.com/t5/management-articles/ssl-decryption-resource-list/ta-p/70397

 

hope this helps..

Stay Secure,
Joe
End of line
Highlighted
Cyber Elite

Re: SSL inbound inspection cert

@raji_toor,

When setting up inbound inspection the certificate won't be a CA cert, you're just going to import the certificate and the private key. The following documentation will walk you through the setup process. Just keep in mind you'll likely want to limit the decryption rule base entry to a select test IP when getting everything setup so you don't cause any security issues on your public resource. 

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-ssl-inbound-inspectio...

Highlighted
Community Team Member

Re: SSL inbound inspection cert

@BPry 

Thanks for chiming In.. yes, when you are doing Inbound SSL decryption, the cert is NOT an CA.. 

Stay Secure,
Joe
End of line

View solution in original post

Highlighted
L4 Transporter

Re: SSL inbound inspection cert

@BPry and @jdelio Thanks for inputs. I had my head stuck with the way we did outbound decryption which was incorrect for inbound inspection. 

And just FYI the links shared earlier, i don't have access to them.

 

I used the wildcard cert now that we also use for GlobalProtect, but the first attempts are failing. I have opened a new discussion for that.

 

Highlighted
Community Team Member

Re: SSL inbound inspection cert

@raji_toor  You do not have access to those articles?  Do you get an error? everyone should have access to those.

Stay Secure,
Joe
End of line
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!