This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎02-15-2022 07:21 AM

Hi @thompso104,

 

"Use a public CA as the forward trust cert which these devices should already trust" - this is very common misundertanding that I a met quite often... You cannot use public CA for forwarding trust certificate.

 

For Forwarding Trust Cert to work, you need the private key for that certificate. No public CA will give you their keys, because there will be nothing that can stop you and start signing certificates left and right from their behalf.

 

Unfortunately the only possible solution in a nutshell is to exclude the traffic from those devices from decryption.

There countless posible ways to do it, but it up to you and your environment to choose the best one.

 

"Is there a setting in the Palo that says " If client does NOT trust forward-trust cert, then Do Not Decrypt?"" - even if there is such configuration, it will make the whole decryption pointless. Nothing can stop your users to delete your internal CA and bypass the decryption. It doesn't make lot of sense to have such configuration.

View solution in original post

(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks