08-11-2019 03:48 AM - edited 08-11-2019 03:52 AM
Hi There, I need your inputs to implement SSL Decryption, currently we have Proxy Server - WSA and same is configured at all end users explicitly. WSA Doesn't have ssl decryption. Hence we would like to deploy ssl decryption at perimeter firewall palo alto. Please suggest how to implement the same and which certificate needs to be used. As i am new to ssl decryption, please suggest the same and share some documents with step by step procedures. Thanking you.
08-13-2019 09:51 AM
I'm not sure if maybe you just mean your WSA isn't doing decryption, but WSA does support it. We had a rack of them that were also decrypting before we moved to PAN.
08-17-2019 05:14 AM
Hi There,
In LAN We have more that 500 users, so what is the best practise to deploy SSL Decryption and install the certificates in client PC's.
That is do i need to generate CSR in Firewall and it needs to be Signed in Local Domain Controller. Please elebrote the same and throw some light on this.
08-17-2019 04:28 PM
The SSL certificate needs to be added to the Trusted Root Certification Authorities of all of your computers. I'd just use a self signed one from the firewall, but you can also get puicly signed ones, etc.
This article covers the concept pretty well (I have no affiliation with Globalsign it just explains the concept well): https://www.globalsign.com/en/blog/what-is-ssl-inspection/
Regardless of which route you go, you will HAVE to push at least one certificate to get SSLi working.
If windows, the easiest way do deploy these is using GPO.
If MAC or linux, youd need some sort of orchestration tool (JAMF, etc) to push globally.
08-19-2019 01:43 AM - edited 08-19-2019 01:44 AM
08-19-2019 09:22 AM
1) I have wild card public certificate - can i use that certificate for SSL inspection.
No. It needs to be given Certificate Authority permissions.
2) If Wild card is not supported, can i generate csr with inside interface ip and get signed through my internal CA. and if we have multiple sub interface in inside then we need to generate multiple csr for each interface IP. please correct me if i am wrong.
You cannot use the firewall to generate a CSR and have your PKI issue it. The firewall does not have the ability to request a CA certificate; just a regular server cert. If you check the Certificate Authority box on the generate screen that just makes the firewall sign it. If you want to use a certificate signed by your internal PKI you have to generate the CSR manually, sign it, and then import the cert and key.
The interfaces of the firewall are unrelated to this. When inspection is done the firewall needs to create new certificates martching the domain being accessed, and those certficates need to be signed by a trusted certification authority on the client device. The client doesnt ever see anything to do with the firewall's interface in the certificate.
08-19-2019 01:10 PM
@TSilverline Can public wildcart cert be used for inbound decryption.
08-19-2019 03:06 PM
@raji_toor wrote:@TSilverline Can public wildcart cert be used for inbound decryption.
Yes. As long as the firewall also has the private key.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
