- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-19-2021 07:46 AM
Hello,
I have a Palo Alto 8.1.18 firewall that is already configured with a SSL Forward Proxy setup for a a current set of traffic. There is only one signed certificate that is configured as the Forwarding Trust and Forwarding Untrust certificate (odd I know), let's call it cert X.
I have a new set of traffic that requires SSL Forward Proxy treatment. Does the PA only allow the use of one Forward Trust/Untrust Certificate or can multiple certs be used? if so how does the PA know which certificate to call upon as I see no reference to a cert in the decryption profile, so does it cycle through say cert x, cert y and cert z until one matches?
Struggling to find anything useful on the PA site, so advice is greatly appreciated.
Regards
07-21-2021 09:59 AM
The decryption certificate is global, you cannot choose one per decryption profile. Whatever certificate you mark for Forward Trust, will be used for SSL Forward Proxy when the firewall verifies that the root CA that signed the server certificate is in the Trusted Root CA list, or present as Trusted Root CA in the certificate store. If the firewall cannot find it, it will instead use the certificate marked as Forward Untrust Certificate.
By the way, it is a BAD IDEA to mark both Forward Trust and Forward Untrust in the same certificate, because you will push this certificate to workstations as a certificate that your devices should trust. That means that if the firewall finds a server certificate that is not trusted, it will present the device with a certificate it trusts, and therefore make it seem to the end user that anything out in the internet is trusted, even when they browse to websites or use applications that present with invalid SSL certificates.
07-21-2021 09:59 AM
The decryption certificate is global, you cannot choose one per decryption profile. Whatever certificate you mark for Forward Trust, will be used for SSL Forward Proxy when the firewall verifies that the root CA that signed the server certificate is in the Trusted Root CA list, or present as Trusted Root CA in the certificate store. If the firewall cannot find it, it will instead use the certificate marked as Forward Untrust Certificate.
By the way, it is a BAD IDEA to mark both Forward Trust and Forward Untrust in the same certificate, because you will push this certificate to workstations as a certificate that your devices should trust. That means that if the firewall finds a server certificate that is not trusted, it will present the device with a certificate it trusts, and therefore make it seem to the end user that anything out in the internet is trusted, even when they browse to websites or use applications that present with invalid SSL certificates.
07-22-2021 12:42 AM
Mivaldi,
That's great feedback, thank you. That was my suspicion too but little PA clarity on their documentation.
I agree a single cert for both i not best practice, but we have inherited this as is. Look forward to putting it all right.
Regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!