08-21-2019 11:41 AM
Hello
i have read the articles regarding the types of ssl decryption:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV8CAK
However, i still dont really understand 'how' to choose decryption mode in our network, whether its inbound or outbound isnt really a criteria. I mean, practically , whats the difference of impact ? What reasons you would have to use one instead of the other?
08-21-2019 11:53 AM
Hello!
SSL Fwd Proxy is when the FW intercepts SSL traffic between client browser and internet server, substituting a self-signed or internal CA cert, so that the FW can decrypt traffic between client and server, as the traffic EGRESSES the FW.
Inbound Inspection, is when you have public CA signed certs and external users need to come INGRESS to your FW (think traffic your DMZ zone as example). Your DMZ servers already have public certs, to support SSL sessions. If you take the public/private key from your internal DMZ server and import into the FW, there is no need for the FW to proxy the connection. The FW uses the same cert to decrypt inbound traffic to your network.
So..
SSL Fwd proxy is decrypting EGRESS traffic, using a self signed or internal CA cert. From internal client to public Internet.
Inbound Inspection is decrypting INGRESS traffic, using public cert. From public client to internal server.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC
08-22-2019 10:34 AM
Hello, i kind of understand. However, when you try to implement an inspection and you, as a engineer, only have the details of the flow but no idea if its ingress or egress , for example from one DMZ to another? Will you distinguish the type , from what certificate you will be provided (if any)?
08-22-2019 12:12 PM
I would definitely suggest you read the docs on setting up Decryption.
Very brief:
Creating a self signed cert on FW allow the cert to be used for SSL Forward proxy (or EGRESS), because the FW will be intercepting someone's ssl traffic to Facebook (or any other public web server). When the web server from the Internet sends back the publicly signed cert, the FW will substitute the self-signed on, and forward to the user.
Now the FW can see traffic from client to FW (make sure no malware/virus, etc in the payload) and then send the traffic to the Internet.
With Inbound Inspection, you take the cert from your DMZ, put it on your FW. Now, when someone from the Internet comes inbound to your DMZ, you have a different cert (that you loaded from your DMZ server onto the FW) and now the FW will intercept the traffic from the Internet (make sure no malware/virus in the payment) and then send into your DMZ.
You will create policies based on SSL Forward Proxy (self signed cert) vs Inbound Inspection (public cert from DMZ).
Again, just a very simple example, so read docs, view Youtube videos, etc..
Let me knnow what other questions you may have.
Steve
08-23-2019 09:39 AM
Thanks once more. So if understood correctly, would use forward proxy when i want to decrypt traffic to the 'outside', like internet and inbound decryption would be towards internal servers? Almost like when we do ssl offload (although with re-encryption and fw not becoming the ssl termination point).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
