According to the PA-3.0_Administrators_Guide.pdf:
Trusted CA certificate—Import an additional intermediate certificate authority (CA) certificate to trust when doing SSL decryption. If the firewall encounters a certificate that is not signed by a trusted CA, then it uses its own untrusted CA to sign the certificate and generate the expected browser warning message.
It might be because I dont have english as native language but I dont get what the above says 🙂
Am I correct that the above actually means that when you do ssl decryption and visit a https site where the ssl cert of this site is signed by an unknown CA (like a CA from a specific company like your own). You can then add the ca.crt of this CA who signed that server-cert to the PA-unit and it will successfully decrypt the traffic otherwise it will bring you an error that the cert of this server cannot be verified?
If so, can I only add one such CA cert to the PA-unit (where I work we have at least two CA's one for production and one for tests and I would need to add at least two custom CA certs to the PA-unit so it will successfully perform ssl decryption without warnings or errors)?
How do I list which additional CA certs have been added to the PA-unit (or which CA certs already exists (builtin)) or for that matter delete an incorrect CA cert?
In order to decrypt the SSL sessions, a CA certi!cate is required. This certi!cate is used to
generate certi!cates for each SSL destination. By default, a self-signed certi!cate is used. Because
this certi!cate is not a "Trusted CA", browsers and other applications will give the users a
warning indicating that the identity of site they are accessing could not be veri!ed. The browsers
can be con!gured to trust the CA certi!cate by importing it into the browser. Alternatively, an
already trusted CA cert that is used in the enterprise can be installed into the device for use in the
SSL decryption process.
When you import certs into the Pan device you will see them listed under device tab/certificates.
Please read the following two documents thoroughly to get a better understanding of SSL decryption on the Palolato device.
Hmm, isnt what you decribe what the "SSL Decryption Certificate" (in the Certificates config) is used for?
Since you will have to import both private and public key of the CA to the PAN so it can issue its own certs for the MITM when doing ssl decryption?
While the "Trusted CA" will only accept the *.crt part.
How are certs handled during ssl decryption if the cert (on the server which the client visits) is issued by a private CA?
Is the workaround for this to uncheck "block unknown" in the crl settings?
Because I would like to block unknown certs (or certs that cannot be verified between PAN and the server) but at the same time still tell the PAN unit to trust a specific range of CA's (except for those who are builtin if any).
with SSL decryption, if the actual certificate has been issued an authority not trusted by the Palo Alto firewal, then the decryption certifiecate will be issued using a second "untrusted" CA key. this is to insure that the user is warned if there are subsequent man in the middle attachs occurring.
Also the "unknown" is referring to the categorization of the site, not whether the certificate of the server is trusted or not trusted by the Pan.
The SSL Decryption Policy uses URL
filtering to decide which traffic to
decrypt or not decrypt. User or
destination address can also be used for
the decryption decision, but in practice
the decision is made on the URL filtering
category of the destination address. The
destination IP address is compared since
the URL is not visible.
A URL License is not required for SSL Decryption to function.
However, the URL categories supplied via a URL License allow you to do a simple include/exclude of many sites. So for example, due to privacy, you would not want to decrypt someones Internet Banking.
I hope this helps
That is correct - if you want to configure the URL category as part of your SSL Decryption rule base, then you'll need the URL license. Without this the Palo Alto Appliance will not have knowledge of URL categories.
Therefore, traffic maybe decrypted with the URL category set to "any" (with no URL License) and other criteria matched, like source/dest IP.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!