For details on cookie usage on our site, read our Privacy Policy
SSL Outbound decryption - Outbound traffic
- LIVEcommunity
- Discussions
- General Topics
- SSL Outbound decryption - Outbound traffic
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
SSL Outbound decryption - Outbound traffic
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-11-2019 03:48 AM - edited 08-11-2019 03:52 AM
Hi There, I need your inputs to implement SSL Decryption, currently we have Proxy Server - WSA and same is configured at all end users explicitly. WSA Doesn't have ssl decryption. Hence we would like to deploy ssl decryption at perimeter firewall palo alto. Please suggest how to implement the same and which certificate needs to be used. As i am new to ssl decryption, please suggest the same and share some documents with step by step procedures. Thanking you.
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-13-2019 09:51 AM
I'm not sure if maybe you just mean your WSA isn't doing decryption, but WSA does support it. We had a rack of them that were also decrypting before we moved to PAN.
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-17-2019 05:14 AM
Hi There,
In LAN We have more that 500 users, so what is the best practise to deploy SSL Decryption and install the certificates in client PC's.
That is do i need to generate CSR in Firewall and it needs to be Signed in Local Domain Controller. Please elebrote the same and throw some light on this.
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-17-2019 04:28 PM
The SSL certificate needs to be added to the Trusted Root Certification Authorities of all of your computers. I'd just use a self signed one from the firewall, but you can also get puicly signed ones, etc.
This article covers the concept pretty well (I have no affiliation with Globalsign it just explains the concept well): https://www.globalsign.com/en/blog/what-is-ssl-inspection/
Regardless of which route you go, you will HAVE to push at least one certificate to get SSLi working.
If windows, the easiest way do deploy these is using GPO.
If MAC or linux, youd need some sort of orchestration tool (JAMF, etc) to push globally.
- For outbound rules for instances that need access to external APIs in Prisma Cloud Discussions
- PA-450 Internet Traffic stops after 15 minutes in General Topics
- Security alerts not updating after being resolved in AIOps for NGFW Discussions
- show url-cloud status - nothing returned in General Topics
- 2 Palo Alto VM-Serie for IPsec VPN in VM-Series in the Public Cloud
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
