This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

SSL inbound inspection

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL inbound inspection

Saleh-Alfurayh
L0 Member

‎08-21-2022 12:00 AM

We want to apply inbound SSL inspection and our certificate from Digitcert and based on this document
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEZCA0
there is a note says "Because SSL certificate providers such as Entrust, Verisign, Digicert, and GoDaddy do not sell CAs, they are not supported in SSL Decryption."
Now can we apply the inbound SSL inspection and if it's not is there any workaroud

0 Likes Likes
2 REPLIES 2

upelister
L3 Networker

‎10-02-2022 11:19 PM

Hello,

 

Did you try or test for inbound decryption, I suggest you should try.

 

1- import password protected pkcs12 file (sertificate+key) to Firewall

Device>Certificate

2-Create Certificate decrytpion profile

Objects>Decryption>Decryption Profile

3-Create related Decryption policy

Policy>Decryption>Add

Source zone internet zone

Source ip any

Source user any

Destinatination zone (İf Static-NAT rule is bi-directional) inner zone of ip

Destinatination ip real ip address which you assingned for static NAT

 

*Before taking this action for testing you config, you can assing your test real internet access ip address as source ip so you can see result without service outage.

 

 

UP
0 Likes Likes

itassetbenilde
L2 Linker

‎04-11-2023 01:58 AM

Hi,

 

i have already tried this. i've managed to get SSL inspection working with a test server. i followed the same setup for our production environment but it doesn't work. It's not an issue with the certificates or keys, as i've tried them on the test server and they worked fine.

 

Upon further checking, i noticed that the client doesn't get a "Server Hello" back from the server, which may explain why the connection attempt seems to just hang.

 

There are no reported errors in the Decryption log, and there's no traffic logged between the two after it's been decrypted. Am pretty sure my security policies are OK -- everything works every time i disable the decryption policy.

Any suggestions on what to check? Are there any specific settings needed on the web server(IIS)? Thanks

 

0 Likes Likes
  • 1820 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks