Forward Proxy & SSL Inbound Inspection Certificate Comparasion

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Forward Proxy & SSL Inbound Inspection Certificate Comparasion

L1 Bithead

Hello,

1- The CA and Keys checkboxes in the Certificates section of Palo Alto Firewall should always be selected? respectively the certificates used for Forward Proxy and SSL Inbound Inspection should always have CA selected and Keys imported?

2- We use just one self-signed certificate for Forward Trust and Untrust proxy. So we need to import this certificate as Trusted CA in client computer. My question, how client will understand then wenn a website is untrusted ? (the reason of my question is that we are using same self-signed certificate for both options)

Best Regards

1 REPLY 1

Cyber Elite
Cyber Elite

1. for outbound proxy, the certificate needs to be CA and have the private key, for inbound inline inspection, you need to have the server certificate associated with the web service running on the server. you only need to have the key, this does not need to be a CA certificate

 

2. do NOT use the same certificate for trusted and untrusted. the trusted one needs to be imported on the client so it trusts the signing CA certificate. the untrust must not be imported so the user gets a certificate error (it's untrusted because the upstream certificate is untrusted, this needs to be aparent to the user as well as they would else have the false impression this site is safe

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 109 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!