Post

Palo Alto SSL Forward Proxy

Posted
By Sena Perdiana 2 min read


What is SSL Forward Proxy?

An SSL Forward Proxy, also known as an SSL Inspection or Decryption Proxy, is a network security device that intercepts and inspects encrypted SSL/TLS traffic between a client and a web server on the internet. SSL Forward Proxy does a deep packet inspection and monitoring of encrypted network traffic for security, compliance, and policy enforcement reasons.

x



Importing Trusted Root CA

First download the Root-CA from the CA server

x


Then on Palo Alto, go to Device » Certificates » Import

x


And then select “Trusted Root CA”

x



Generating and Signing CSR

Next let’s generate a CSR for the Firewall, on the same page click Generate

x

CSR (Certificate Signing Request) is a message generated by a server to apply for a SSL/TLS certificate to the CA (Certificate Authority)


Export the CSR by selecting Export Certificate

x


Next Sign the CSR on the CA Server, use “Subordinate Certificate Authority” template

x

A Subordinate Certificate Authority (Sub-CA) is a lower-level entity in a PKI hierarchy, issuing certificates under the authority of a higher-level CA.


Import the Certificate to Palo Alto

x


Select the paloalto cert, select “Forward Trust Certificate” and “Forward Untrust Certificate”

x


And this is what we end up with

x



Creating Decryption Policy

First create a Decryption Profile, on Objects » Decryption Profile, create new
Here we create the rule of which connection should be allowed or not based on the target server’s certificate.

x


Next we create the Decryption Policy, on Policies » Decryption, create new

x

Give it a name

x

Select Inside Zone as the source

x

Select Outside Zone as the destination

x

Select Decrypt with the newly created Decryption Profile



Testing the SSL Forward Proxy

Before testing, make sure the machine on the inside network also trusts the Root CA

x


Now if we access anything on the internet, we’ll see the certificate issuer being the paloalto, meaning paloalto decrypts, inspects, and re-encrypts the traffic before it being forwarded to the actual destination

x


Looking at certificate hierarchy, we can see the PKI Heirarchy, where paloalto.helena.gg acts as a Sub-CA of HELENA-CA, issuing certificate for twitter.com

x


On the Decryption Policy, we can see the hit counter going up

x


On Monitor » Decryption, we can see all the decrypted traffic

x


Now if we try accessing sites with bad certificate, we should see a warning not allowing the access

x


On ACC » SSL Activity, we can see the overall SSL Decryption stats, as well as the sites that are not allowed to be accessed because of bad certificates

x


Security, Palo Alto
Palo Alto
This post is licensed under CC BY 4.0 by the author.