Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
12-02-2016 01:44 AM
Hello,
I'm trying to setup, for the first time, our SSL Inbound Inspection, but I've some difficulties to achieve the setup.
The configuration seems really simple, and I followed this guide:
I'd imported the certificate and intermediate certificate, checked that the root CA exists in the in the Trusted Certificate Authorities (Quovadis Root CA 2) and create a decryption rule.
When checking the traffic log, all entries matching the decryption rule returns a decrypt-error as the session end reason.
How I can debug this kind of error?
Thanks!
12-02-2016 02:38 AM
also make sure the server is using a cupher suite that's supported by the firewall : PAN-OS 7.1 Supported ciphers
12-02-2016 01:54 AM
Hi FTBZ,
When you're configuring Inbound inspection you're looking to decrypt traffic that is incoming to a server providing encrypted services, like a HTTPS enabled web-server.
To get Inbound inspection to work you'll need to use the same certificate on the firewall (with private key) that you use on the server. You don't need an intermediate certificate for inbound inspection.
hope this helps,
Ben
12-02-2016 02:38 AM
also make sure the server is using a cupher suite that's supported by the firewall : PAN-OS 7.1 Supported ciphers
12-07-2016 11:51 AM
Sorry for the late response, didn't get the notification about new message.
To get Inbound inspection to work you'll need to use the same certificate on the firewall (with private key) that you use on the server. You don't need an intermediate certificate for inbound inspection.
Exactly what I've done, but thanks.
also make sure the server is using a cupher suite that's supported by the firewall : PAN-OS 7.1 Supported ciphers
Oh, thanks. Perhaps my problem can be here, our Apache configurations have a lot of cipher fine-tuning.
12-07-2016 09:49 PM
@reaper wrote:also make sure the server is using a cupher suite that's supported by the firewall : PAN-OS 7.1 Supported ciphers
I checked the cipher used during my tests and it's one that's supported by PAN-OS 7.1 (TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256).
We're using Quovadis certificates that need an intermediate one. Someone knows the correct steps to use it? The default CA root exists in the Default Trusted Certificate Autorities. Need I to reupload it to the Device Certificate for using intermediate? The Trusted Root CA checkbox needs to be used for an intermediate? 🤔
01-25-2017 05:09 AM
Finally, figured it out. For SSL Inbound Inspection only RSA key exchange is supported... Found this information in small in the Decryption Profile. Didn't see it before because I used the default one. This information needs really to be added to the documentation and to the page "PAN-OS 7.1 Supported ciphers".
Don't think that disabling ECDHE and using RSA on our web serversis a good choice. Any idea?
01-25-2017 05:39 AM
it is important that your webserver is offering the same of what is supported by palo alto. take a look here:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
