This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

SSL Offloading for inbound connection

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL Offloading for inbound connection

ganees
L1 Bithead

‎02-22-2018 09:58 AM

We have few legacy internal applications listening on a various TCP ports. Now we have a requirement to connect to these applications from a cloud vendor externally. There is no option to setup a site-to-site IPSec VPN tunnel to the cloud so we need to expose this server to internet securly. Can Palo alto act as a proxy for inbound traffic hosting the CA cerificate for the internal applications, decrypt and and send the decrypted packet to the internal server? Any documentation with configuration steps?

 

0 Likes Likes
4 REPLIES 4

Remo
L7 Applicator

‎02-22-2018 10:09 AM

Hi @ganees

 

This does not sound like a job for paloalto. The better choice would be a reverse proxy like a Citrix Netscaler. Of course also an Apache or nginx webserver can be configured to do this job. Or a Kemp Loadmaster which (depending ond the bandwith you need) is also available for free: https://freeloadbalancer.com

apackard
L4 Transporter
In response to Remo

‎02-22-2018 11:28 AM

Not sure if the SSL Decryption Broker feature coming in PanOS 8.1 will allow this.

 

I'm intrigued to find out myself, especially if there is a simple load balancer feature in it.

ganees
L1 Bithead
In response to Remo

‎02-22-2018 12:07 PM

Thanks for your response. I thought the same but was curious if Palo can do it. 

0 Likes Likes

Remo
L7 Applicator
In response to apackard

‎02-22-2018 12:15 PM - edited ‎02-22-2018 12:33 PM

The decryption broker feature is intended to share decrypted content with other appliances (e.g. for DLP). But the idea is to keep the content encrypted as it goes through the network and not to terminate the decryption and forward the connection unencrypted.
Edit: between the palo and the third party appliance the traffic is sent back ond forth in cleartext. But this does not change the fact that after the traffic gets back to the palo firewall it will be re-encrypted.
0 Likes Likes
  • 7682 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks