About netmaster

Hi, now we have uploaded whit key and make a policy and it works. But 1 point, the documentation is here a little bit confuse! There is the info that you need " forward trust/untrust option" and a CA but for this case is this not the point. "1. The first thing we would like to do is to install and manage the certificate we would like to use. Navigate  Device > Certificates and generate a new self signed Certificate, be sure to activate CA,Forward Trust Certificate, Untrust and Trusted Root CA:" thanks for your help. best regards ... View more

Hi, Sry i think so. In the decryption policy is the last point "ssl inbound" and When we choose it we must choose a certificate. And Here is the Only certificate what we can choose the  self signed with the Option "Forward trust/untrust". Oh er certificate Here Are Not listed ... View more

Hi,ok i understand we need the same certificate in Firewall as on the server, that we can make on the test Server.But the live Server had the verisign certificate. And we dont can change it. On all certificate we have downloaden From verisign we dont Have the choose to aktivate trust/untrust On the der. ... View more

Hi, now we have made a self signed certificate from the firewall, thats not working. For the test we have change the Server cert in a self signed too. We don´ see any encrypted packets. (in the traffic log or in the cli like: How to View SSL Decryption Information from the CLI We have make all the steps for inbound ssl decrypt from: How to Implement SSL Decryption but it doesnt works. Any special thinks what we must do in the decryption and security policies? Or any other points we must do? enabling decryption on a single tab or so? Cert: Policy decry: Policy sec: ... View more

The certificate what we used in the upper config was created in the firewall, i think thats the problem why this one not matched, thats for your info guys. ... View more

Hello, when we import the server certificate, no CA flag is set and we dont can choose "Forward .... Certificate" and "Trusted Root CA" in the informations. Thats a Certificate from Verisign. And wehn we load any other public root certficates from Verisign and import this ones, its the same.... For what you need it in GUI Format, its the same informations as about cli. Anyone a Idee? best regard Markus ... View more

Hi, thanks for the two answers, thats help to understand how it works in the firewall. Now we have make a self signed Root CA and a decrypt like this doc: https://live.paloaltonetworks.com/docs/DOC-1412 but it doesnt work. We want to make Inbound SSL decryption! The traffic were not decrypted, we don´t see a decrypt flag in the logs of the packets (policies). And when we make a openssl question from outside to the server we see the ssl cert from the server and not self signed from the firewall. Config: shared {     ssl-decrypt {       ssl-exclude-cert;       trusted-root-CA [ int_test_com int_test];       forward-trust-certificate int_test_com;       forward-untrust-certificate int_test_com;     }       int_test_com {         subject-hash fc08871a;         issuer-hash fc08871a;         not-valid-before "Aug 27 14:16:26 2014 GMT";         issuer "/C=DE/ST=Bayern/L=Ismaning/O=test AG/CN=int.test.com";         not-valid-after "Aug 27 14:16:26 2015 GMT";         common-name int.test.com;         expiry-epoch 1440684986;         ca yes;         subject "/C=DE/ST=Bayern/L=Ismaning/O=test AG/CN=int.test.com";         public-key "-----BEGIN CERTIFICATE----- ..... decryption {               rules {                 int_test_antivirus {                   category any;                   type {                     ssl-inbound-inspection int_test_com;                   }                   from untrust;                   to trust;                   source any;                   destination any;                   source-user any;                   negate-source no;                   negate-destination no;                   action decrypt; from untrust;                   to trust;                   source any;                   destination int_test_com;                   source-user any;                   category any;                   application [ ssl web-browsing];                   service [ service-http service-https];                   hip-profiles any;                   action allow;                   log-start yes;                   log-end yes;                   negate-source no;                   negate-destination no; ... View more