How does a PA know which forward trust certiticate to use for a given decryption profile/policy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How does a PA know which forward trust certiticate to use for a given decryption profile/policy

L2 Linker

Hello,

 

I have a  Palo Alto 8.1.18 firewall that is already configured with a SSL Forward Proxy setup for a a current set of traffic.  There is only one signed certificate that is configured as the Forwarding Trust and Forwarding Untrust certificate (odd I know), let's call it cert X.

 

I have a new set of traffic that requires SSL Forward Proxy treatment.  Does the PA only allow the use of one Forward Trust/Untrust Certificate or can multiple certs be used?  if so how does the PA know which certificate to call upon as I see no reference to a cert in the decryption profile, so does it cycle through say cert x, cert y and cert z until one matches?

 

Struggling to find anything useful on the PA site, so advice is greatly appreciated.

 

Regards

1 accepted solution

Accepted Solutions

L7 Applicator

The decryption certificate is global, you cannot choose one per decryption profile. Whatever certificate you mark for Forward Trust, will be used for SSL Forward Proxy when the firewall verifies that the root CA that signed the server certificate is in the Trusted Root CA list, or present as Trusted Root CA in the certificate store. If the firewall cannot find it, it will instead use the certificate marked as Forward Untrust Certificate.

 

By the way, it is a BAD IDEA to mark both Forward Trust and Forward Untrust in the same certificate, because you will push this certificate to workstations as a certificate that your devices should trust. That means that if the firewall finds a server certificate that is not trusted, it will present the device with a certificate it trusts, and therefore make it seem to the end user that anything out in the internet is trusted, even when they browse to websites or use applications that present with invalid SSL certificates.

View solution in original post

2 REPLIES 2

L7 Applicator

The decryption certificate is global, you cannot choose one per decryption profile. Whatever certificate you mark for Forward Trust, will be used for SSL Forward Proxy when the firewall verifies that the root CA that signed the server certificate is in the Trusted Root CA list, or present as Trusted Root CA in the certificate store. If the firewall cannot find it, it will instead use the certificate marked as Forward Untrust Certificate.

 

By the way, it is a BAD IDEA to mark both Forward Trust and Forward Untrust in the same certificate, because you will push this certificate to workstations as a certificate that your devices should trust. That means that if the firewall finds a server certificate that is not trusted, it will present the device with a certificate it trusts, and therefore make it seem to the end user that anything out in the internet is trusted, even when they browse to websites or use applications that present with invalid SSL certificates.

L2 Linker

Mivaldi,

 

That's great feedback, thank you.  That was my suspicion too but little PA clarity on their documentation.

 

I agree a single cert for both i not best practice, but we have inherited this as is.  Look forward to putting it all right.

 

Regards

  • 1 accepted solution
  • 4682 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!