SSL inbound inspection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL inbound inspection

L0 Member

We want to apply inbound SSL inspection and our certificate from Digitcert and based on this document
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEZCA0
there is a note says "Because SSL certificate providers such as Entrust, Verisign, Digicert, and GoDaddy do not sell CAs, they are not supported in SSL Decryption."
Now can we apply the inbound SSL inspection and if it's not is there any workaroud

2 REPLIES 2

L3 Networker

Hello,

 

Did you try or test for inbound decryption, I suggest you should try.

 

1- import password protected pkcs12 file (sertificate+key) to Firewall

Device>Certificate

2-Create Certificate decrytpion profile

Objects>Decryption>Decryption Profile

3-Create related Decryption policy

Policy>Decryption>Add

Source zone internet zone

Source ip any

Source user any

Destinatination zone (İf Static-NAT rule is bi-directional) inner zone of ip

Destinatination ip real ip address which you assingned for static NAT

 

*Before taking this action for testing you config, you can assing your test real internet access ip address as source ip so you can see result without service outage.

 

 

UP

L2 Linker

Hi,

 

i have already tried this. i've managed to get SSL inspection working with a test server. i followed the same setup for our production environment but it doesn't work. It's not an issue with the certificates or keys, as i've tried them on the test server and they worked fine.

 

Upon further checking, i noticed that the client doesn't get a "Server Hello" back from the server, which may explain why the connection attempt seems to just hang.

 

There are no reported errors in the Decryption log, and there's no traffic logged between the two after it's been decrypted. Am pretty sure my security policies are OK -- everything works every time i disable the decryption policy.

Any suggestions on what to check? Are there any specific settings needed on the web server(IIS)? Thanks

 

  • 1845 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!