SSL Outbound decryption - Outbound traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL Outbound decryption - Outbound traffic

L1 Bithead

Hi There, I need your inputs to implement SSL Decryption, currently we have Proxy Server - WSA and same is configured at all end users explicitly. WSA Doesn't have ssl decryption. Hence we would like to deploy ssl decryption at perimeter firewall palo alto. Please suggest how to implement the same and which certificate needs to be used. As i am new to ssl decryption, please suggest the same and share some documents  with step by step procedures. Thanking you.

8 REPLIES 8

L3 Networker

I'm not sure if maybe you just mean your WSA isn't doing decryption, but WSA does support it.  We had a rack of them that were also decrypting before we moved to PAN.

Hi There,

 

In LAN We have more that 500 users, so what is the best practise to deploy SSL Decryption and install the certificates in client PC's.

 

That is do i need to generate CSR in Firewall and it needs to be Signed in Local Domain Controller. Please elebrote the same and throw some light on this.

The SSL certificate needs to be added to the Trusted Root Certification Authorities of all of your computers.  I'd just use a self signed one from the firewall, but you can also get puicly signed ones, etc.

This article covers the concept pretty well (I have no affiliation with Globalsign it just explains the concept well): https://www.globalsign.com/en/blog/what-is-ssl-inspection/

 

Regardless of which route you go, you will HAVE to push at least one certificate to get SSLi working.

 

If windows, the easiest way do deploy these is using GPO.

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to...

 

If MAC or linux, youd need some sort of orchestration tool (JAMF, etc) to push globally.

Hi There, Thanks for your response, need bit more details. Let me put in this way 1) I have wild card public certificate - can i use that certificate for SSL inspection. 2) If Wild card is not supported, can i generate csr with inside interface ip and get signed through my internal CA. and if we have multiple sub interface in inside then we need to generate multiple csr for each interface IP. please correct me if i am wrong.

1) I have wild card public certificate - can i use that certificate for SSL inspection.

No.  It needs to be given Certificate Authority permissions.

 

2) If Wild card is not supported, can i generate csr with inside interface ip and get signed through my internal CA. and if we have multiple sub interface in inside then we need to generate multiple csr for each interface IP. please correct me if i am wrong.

You cannot use the firewall to generate a CSR and have your PKI issue it.  The firewall does not have the ability to request a CA certificate; just a regular server cert.  If you check the Certificate Authority box on the generate screen that just makes the firewall sign it.  If you want to use a certificate signed by your internal PKI you have to generate the CSR manually, sign it, and then import the cert and key. 

 

The interfaces of the firewall are unrelated to this.  When inspection is done the firewall needs to create new certificates martching the domain being accessed, and those certficates need to be signed by a trusted certification authority on the client device.  The client doesnt ever see anything to do with the firewall's interface in the certificate.

@TSilverline Can public wildcart cert be used for inbound decryption.


@raji_toor wrote:

@TSilverline Can public wildcart cert be used for inbound decryption.


Yes.  As long as the firewall also has the private key.

  • 7786 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!