Usage Difference between SSL Forward Proxy and Inbound Inspection Decryption mode

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Usage Difference between SSL Forward Proxy and Inbound Inspection Decryption mode

L1 Bithead

Hello

 

i have read the articles regarding the types of ssl decryption:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV8CAK

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/decryption/decryption-concepts/ssl-forward...

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/decryption/decryption-concepts/ssl-inbound...

 

However, i still dont really understand 'how' to choose decryption mode in our network, whether its inbound or outbound isnt really a criteria. I mean, practically , whats the difference of impact ? What reasons you would have to use one instead of the other?

4 REPLIES 4

Cyber Elite
Cyber Elite

Hello!

 

SSL Fwd Proxy is when the FW intercepts SSL traffic between client browser and internet server, substituting a self-signed or internal CA cert, so that the FW can decrypt traffic between client and server, as the traffic EGRESSES the FW.

 

Inbound Inspection, is when you have public CA signed certs and external users need to come INGRESS to your FW (think traffic your DMZ zone as example).  Your DMZ servers already have public certs, to support SSL sessions.  If you take the public/private key from your internal DMZ server and import into the FW, there is no need for the FW to proxy the connection.  The FW uses the same cert to decrypt inbound traffic to your network.

 

So..

SSL Fwd proxy is decrypting EGRESS traffic, using a self signed or internal CA cert. From internal client to public Internet.

Inbound Inspection is decrypting INGRESS traffic, using public cert.  From public client to internal server.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC

 

 

 

 

Help the community: Like helpful comments and mark solutions

Hello, i kind of understand. However, when you try to implement an inspection and you, as a engineer, only have the details of the flow but no idea if its ingress or egress , for example from one DMZ to another? Will you distinguish the type , from what certificate you will be provided (if any)?

I would definitely suggest you read the docs on setting up Decryption.

 

Very brief:

Creating a self signed cert on FW allow the cert to be used for SSL Forward proxy (or EGRESS), because the FW will be intercepting someone's ssl traffic to Facebook (or any other public web server).  When the web server from the Internet sends back the publicly signed cert, the FW will substitute the self-signed on, and forward to the user.

 

Now the FW can see traffic from client to FW (make sure no malware/virus, etc in the payload) and then send the traffic to the Internet.

 

With Inbound Inspection, you take the cert from your DMZ, put it on your FW.  Now, when someone from the Internet comes inbound to your DMZ, you have a different cert (that you loaded from your DMZ server onto the FW) and now the FW will intercept the traffic from the Internet (make sure no malware/virus in the payment) and then send into your DMZ.

 

You will create policies based on SSL Forward Proxy (self signed cert) vs Inbound Inspection (public cert from DMZ).

 

Again, just a very simple example, so read docs, view Youtube videos, etc..

 

Let me knnow what other questions you may have.

 

Steve

Help the community: Like helpful comments and mark solutions

Thanks once more. So if understood correctly, would use forward proxy when i want to decrypt traffic to the 'outside', like internet and inbound decryption would be towards internal servers? Almost like when we do ssl offload (although with re-encryption and fw not becoming the ssl termination point).

 

 

  • 6572 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!