08-11-2019 03:48 AM - edited 08-11-2019 03:52 AM
Hi There, I need your inputs to implement SSL Decryption, currently we have Proxy Server - WSA and same is configured at all end users explicitly. WSA Doesn't have ssl decryption. Hence we would like to deploy ssl decryption at perimeter firewall palo alto. Please suggest how to implement the same and which certificate needs to be used. As i am new to ssl decryption, please suggest the same and share some documents with step by step procedures. Thanking you.
08-11-2019 08:55 AM
08-13-2019 09:51 AM
I'm not sure if maybe you just mean your WSA isn't doing decryption, but WSA does support it. We had a rack of them that were also decrypting before we moved to PAN.
08-17-2019 05:14 AM
In LAN We have more that 500 users, so what is the best practise to deploy SSL Decryption and install the certificates in client PC's.
That is do i need to generate CSR in Firewall and it needs to be Signed in Local Domain Controller. Please elebrote the same and throw some light on this.
08-17-2019 04:28 PM
The SSL certificate needs to be added to the Trusted Root Certification Authorities of all of your computers. I'd just use a self signed one from the firewall, but you can also get puicly signed ones, etc.
This article covers the concept pretty well (I have no affiliation with Globalsign it just explains the concept well): https://www.globalsign.com/en/blog/what-is-ssl-inspection/
Regardless of which route you go, you will HAVE to push at least one certificate to get SSLi working.
If windows, the easiest way do deploy these is using GPO.
If MAC or linux, youd need some sort of orchestration tool (JAMF, etc) to push globally.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!