Scribd
Upload
62 views

SSL Forward Proxy

The document discusses configuring SSL decryption on a Palo Alto firewall to inspect encrypted traffic. It involves generating a self-signed certificate, exporting it, installing it on a client browser, creating a decryption policy, and a security rule to allow decrypted traffic.

Uploaded by

godwin dsouza
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
62 views

SSL Forward Proxy

The document discusses configuring SSL decryption on a Palo Alto firewall to inspect encrypted traffic. It involves generating a self-signed certificate, exporting it, installing it on a client browser, creating a decryption policy, and a security rule to allow decrypted traffic.

Uploaded by

godwin dsouza
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Issue:

On the Windows PC, open the browser and browse http://www.eicar.org within the download
area at the bottom of the page click on eicar.com.txt file to download using SSL-encrypted
HTTPS protocol. The Firewall will not be able to detect the Viruses in an HTTPS connection until
decryption is configured. If prompted, save the file. Do not open or run the file. Notice the
download is not blocked because the connection is encrypted, & the virus is hidden.

Lets verify traffic is decrypted or not go to Monitor>Logs>Traffic in Decrypted column it’s not.

Go to Monitor > Logs > Traffic click on any small search icon to open new window in Flags
Decrypted is not checked by default.

To solve the issue Certificates, need to be generated so that the Firewall can decrypt traffic.

1 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


SSL Forward Proxy:
o Use an SSL Forward Proxy decryption policy to decrypt & inspect SSL/TLS traffic.
o SSL Forward Proxy Decryption Policy inspect SSL traffic from internal users to the web.
o It prevents malware concealed as SSL encrypted traffic from being introduced to network.
o SSL Forward Proxy decryption, Firewall resides between internal client & outside server.
o Firewall uses Forward Trust certificates to establish itself as trusted third party to session.
o Firewalls provide capability to decrypt & inspect traffic for visibility, control & security.
o Decryption of outbound SSL traffic is implemented & takes form of SSL Forward Proxy.
o SSL Forward Proxy, which features the firewall as an intermediate communication node.
o SSL Forward Proxy decryption deployment commonly referred to as Man in the Middle.
o It replaces original certificate from a final destination with resigned by a different key.
o The PAN Firewall can acts as proxy between a client and an HTTPS website or Internet.
o PAN Firewall decrypt inbound/outbound SSL traffic in order to apply inspection policies.
o To configure Outbound SSL Decryption, generate self-signed certificate from Firewall.
o PA device is configured to decrypt SSL traffic going to external sites as forward proxy.

2 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Going to Device > Certificate Management > Certificates > Generate.

Type a name under Certificate Name (SSL-CERT) > type a name under Common Name (P-
Certificate) > check Certificate Authority > leave the default settings under Cryptographic
Settings. Under Certificate Attributes > click Add >Country > type and search for your country
(SA in my case) > add and fill other Certificate Attributes as needed >Click Generate.

3 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


You need to modify the certificate by clicking on the Name of the certificate (SSL-CERT) > check
Forward Trust Certificate, Forward Untrust Certificate and Trusted Root CA > click OK.

You can export the PAN certificate and install it on the PC web browser by clicking on the Name
of the certificate and click Export. Leave the File Format of Base64 Encoded Certificate (PEM) >
check Export private key > type a passphrase twice to confirm > click OK.

4 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Go to the folder where the PEM certificate got downloaded. Copy the file and manually install
the certificate on client PC. On the web browser (Mozilla Firefox) by going to Tools > Options.
Go to Privacy & Security> Certificates > View Certificates.

Under Authorities > click Import.

5 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Go to Downloads folder and choose the created PEM certificate > click Open > click Trust the CA
to identify websites > click OK.

Check Trust this CA to identify websites & Trust this CA to identify email users and Click OK.

Configure a Decryption policy from left to right. Under General > type the Name of the
Decryption rule. Under Source tab > choose Inside under Source Zone > leave the default of

6 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Any. Under Destination tab > choose Outside under Destination Zone > leave Any under
Destination Address> leave the default of Any.

Under Options tab > select Decrypt under Action > leave the default of SSL Forward Proxy under
Type and None under Decryption Profile > click OK.

Decryption Policy is ready

7 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


To create a new Security rule, go to Policies > Security > Add. Under General tab > type the
Name of the Security rule (Outside-Decryption) > optionally type the Description.

Under Source tab > choose Inside under Source Zone >.

Under Destination tab > choose Outside under Destination Zone > leave the default of Any
under Destination Address.

8 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Under Application tab > Select Any

Under Service/URL Category > Choose any

9 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Leave the default settings of Allow and Log at Session End under Actions.

Click OK and Commit.

Verification:
Go to Monitor > Logs > Traffic, Decrypted column will show yes

10 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Go to Monitor > Logs > Traffic click on any small search icon to open new window in Flags
Decrypted is checked.

On client PC open any website it will show SSL Inspection warning before proceed.

Click on lock icon it will show Firewall generated Certificate.

11 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Test Decryption Policy:
In the download area at the bottom of the page, click either the eicar.com or the eicar.com.txt
file to download the file using HTTPs SSL enabled protocol.

12 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

You might also like