07-02-2025 02:08 AM
Attention: JAPAC TPM team
Hello Team,
Please tell me about Client to Firewall and Firewall to Client in the StrataCloudManager Firewall/Decryption log.
My understanding of Client to Firewall and Firewall to Client is as follows.
-Client to Firewall: TLS handshake information sent by the client (Client Hello, etc.)
-Firewall to Client: TLS information responded by PrismaAccess (Server Hello, certificate, etc.)
However, when I checked the log, the following was displayed.
-Client to Firewall: Server_Hello
-Firewall to Client: Client_Hello
I think this is because PrismaAccess is acting as a proxy between the client and the server, but is this understanding correct?
I would appreciate your advice.
07-05-2025 08:10 AM
Hello @y.saitou , to answer your question, In Strata Cloud Manager's Firewall/Decryption logs, the labels Client to Firewall and Firewall to Client refer to the direction of traffic as seen by the firewall, not necessarily the original source or destination of the TLS messages. When SSL Forward Proxy is enabled (which is common in Prisma Access deployments), the firewall intercepts and decrypts outbound SSL traffic by acting as a man-in-the-middle proxy. Here's how that affects the TLS handshake: (Check the attached table)
So Why the Log Shows It Reversed
Client to Firewall: Server_Hello This is actually the Server Hello from the external server, received by the firewall after it initiated a second TLS handshake with the real destination.
Firewall to Client: Client_Hello This is the Client Hello initiated by the firewall toward the external server, acting as a client.
So yes, your understanding is correct. The firewall is proxying both sides of the handshake, and the logs reflect the firewall’s perspective of each leg of the TLS session.
I hope you find this helpful.
07-05-2025 08:10 AM
Hello @y.saitou , to answer your question, In Strata Cloud Manager's Firewall/Decryption logs, the labels Client to Firewall and Firewall to Client refer to the direction of traffic as seen by the firewall, not necessarily the original source or destination of the TLS messages. When SSL Forward Proxy is enabled (which is common in Prisma Access deployments), the firewall intercepts and decrypts outbound SSL traffic by acting as a man-in-the-middle proxy. Here's how that affects the TLS handshake: (Check the attached table)
So Why the Log Shows It Reversed
Client to Firewall: Server_Hello This is actually the Server Hello from the external server, received by the firewall after it initiated a second TLS handshake with the real destination.
Firewall to Client: Client_Hello This is the Client Hello initiated by the firewall toward the external server, acting as a client.
So yes, your understanding is correct. The firewall is proxying both sides of the handshake, and the logs reflect the firewall’s perspective of each leg of the TLS session.
I hope you find this helpful.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
