cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL Inbound Inspection

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
MohammedAsik
L3 Networker
‎07-31-2019 01:20 AM
‎07-31-2019 01:20 AM

SSL Inbound Inspection

Hi Team

 

Kindly help with below query.
 
We approx host 100 websites of our partners. All websites are on SSL (https).
 
I want to configure SSL Inbound Inspection. As per my understanding, I need to import SSL certificate of 100 websites for SSL inbound inpection. However this is not feasible.
 
Is there any other simple way to implement the same.
 
Regards
Mohammed Asik M
 
0 Likes
Reply
reaper
L7 Applicator
‎07-31-2019 01:30 AM
‎07-31-2019 01:30 AM

hi @MohammedAsik 

 

No, this is required: With SSL inbound inspection, the firewall is impersonating the server by handling the ssl handshake. It needs to have the real certificate for the client to trust this connection and not throw an error

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
Tags (2)
Reply
MohammedAsik
L3 Networker
‎07-31-2019 03:38 AM
‎07-31-2019 03:38 AM

Hi Reaper

 

I host more than 100+ websites.
 
Do I need to upload certificate of all websites?
 
Will it impact performance of Palo?
 
Regards
Mohammed Asik M
Tags (1)
0 Likes
Reply
SteveCantwell
Cyber Elite
Cyber Elite
‎07-31-2019 06:41 AM
‎07-31-2019 06:41 AM

@MohammedAsik wrote:

Hi Reaper

 

I host more than 100+ websites.
 
Do I need to upload certificate of all websites?
 
Will it impact performance of Palo?
 
Regards
Mohammed Asik M

If you want to ensure that all SSL inbound traffic is being inspected, then yes, you would want to consider having all certs on the FW.

 

There is always some impact with decryption, usually 10% hit in CPU utilization.  Depending on the size of the FW (better performance with larger sized models of FWs) you may be able to mitigate any CPU degradation or latency. 

What size FW are you working with (thinking PA5000 series FW, so please advise)

 

I have see companies invest in an appliance called an HSM (Hardware Security Module), that offloads all of the decryption functionality onto this appliance, so that it does the heavy math/CPU processing to decrypt/re-encrypt traffic.

 

 

Help the community: Like helpful comments and mark solutions
Reply
reaper
L7 Applicator
‎07-31-2019 06:51 AM
‎07-31-2019 06:51 AM

The performance impact lies in the total volume of decrypted sessions, not the amount of certificates. Your platform will need to be scaled to acommodate this volume and taking into account decryption. 

 

if nearly all of your sessions are encrypted, it maybe be wise to consider one of the newer platforms (5200 series) with far superior decryption capabilities

 

@SteveCantwell 

the HSM serves as a vault, keeping all the private keys extra private (kinda like a password manager for firewalls)

it handles all ssl handshakes, but it does not take the brunt of the decryption processing, so performance gain is near negligable

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
Reply
MohammedAsik
L3 Networker
‎07-31-2019 10:27 PM
‎07-31-2019 10:27 PM

Hi SteveCantwell

 

Thanks for your valuable infirmation.

 

What size FW are you working with (thinking PA5000 series FW, so please advise)?

 

My Answer : We are using PA 3020 firewall model. Please let us know is this model having better performance for decryption? Please advise.

 

Regards

Mohammed Asik

 

0 Likes
Reply
Brandon_Wertz
Cyber Elite
Cyber Elite
‎08-01-2019 10:19 AM
‎08-01-2019 10:19 AM

I'm not sure of the SSL decryption inbound performance specs of the 3020, but if you're hosting over 100 sites behind it, I'm not sure it's going to have the HW capabilities you need.  Another thing to consider is your encryption ciphers you're using and making sure the PAN-OS version you're running will support the decryption of that cipher.

 

You can also take a look at this thread which is similar to this topic:

 

https://live.paloaltonetworks.com/t5/General-Topics/Is-the-PA-3020-adequate-for-SSL-Decryption-and-o...

 

PAN-OS 7.1 - Ciphers

https://docs.paloaltonetworks.com/compatibility-matrix/supported-cipher-suites/cipher-suites-support...

 

PAN-OS 8.1 - Ciphers

https://docs.paloaltonetworks.com/compatibility-matrix/supported-cipher-suites/cipher-suites-support...

Reply
BPry
Cyber Elite
Cyber Elite
‎08-01-2019 01:37 PM
‎08-01-2019 01:37 PM

@MohammedAsik,

Nobody can answer what size firewall you should invest in if this is something you are looking to do, because we don't have any of the required information. What size firewall you will need to size out depends on a lot of different factors that you will need to determine before purchase; this all depends on bandwidth requirements, session count, session per second average, the number of virtual systems you utilize, and the feature set you are looking to enable. 

As others have stated I would doubt you would want to enable inbound inspection on a PA-3020 if those sites see moderate traffic levels; but with that being said they could all be low traffic sites where this would all work perfectly fine. We simply don't know from the information present. 

 

As a side note, is this something that you have communicated to your partners and actually have their sign-off on? Before having that conversation with everyone I wouldn't even worry about sizing anything. Depending on what sort of websites these actually are you have additional considerations in actually breaking this encryption. 

Reply
OtakarKlier
Cyber Elite
Cyber Elite
‎08-02-2019 01:53 PM
‎08-02-2019 01:53 PM

Hello,

As previously stated, there will be a performance impact, no we cannot judge how big it will be. The newer models have their own chipsets that deal with SSL decryption so the load is less, e.g. 32XX and 52XX. 

 

Start small, do one at a time and watch the perfomance of the PAN to see where it is. If it peaks out, you'll need to upgrade, if it doesnt keep going until all sites are done.

 

Cheers!

0 Likes
Reply
MohammedAsik
L3 Networker
‎08-05-2019 07:41 AM
‎08-05-2019 07:41 AM

Hi All,

 

Thanks for all to share the valuable infornation.

 

I will check and let you know the status.

 

Again thanks very much for all 

 

Cheers

Mohammed Asik

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks