11-05-2023 02:54 AM
Hello.
I'm seeking some guidance from those who have configured this, and have it working.
I'm trying to configure the SSL forward proxy feature, to decrypt web traffic.
I can get this working no problems using a self signed certificate, but this is problematic for devices such as phones and tablets. I can certainly push the certificate to computers using group policy, but need to support visiting people with BYODs and also portable devices.
I have purchased a certificate, from a public CA.
However, when installing said certificate on the firewall, it sees it as "trusted" and says it's ok, but the option to use it as the forward trust certificate is greyed out.
I've had a tac case and even tac don't seem to know why.
They have suggested I make a combined certificate which includes the intermediate certificates from the CA, which I have done, and it made no difference.
TAC can't seem to work out how to make this feature work, and neither can I.
Is there anyone using a public CA signed certificate for this purpose? How did you make it work?
TAC have assured me that the version of PanOS I am using does not have a bug, and it should just work.
Please help. Thankyou in advance.
11-05-2023 09:35 AM
For SSL decrypt/encrypt you need a CA (certificate authority), a certificate does not suffice.
With this CA the firewall signs a new certificate which has almost all parameters copied from the "original" web site certificate.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
