Set Up Inbound Decryption on Cloud NGFW for AWS
Table of Contents
Expand all | Collapse all
-
- About Cloud NGFW for AWS
- Getting Started from the AWS Marketplace
- Cloud NGFW for AWS Pricing
- Cloud NGFW for AWS Free Trial
- Cloud NGFW for AWS Limits and Quotas
- Subscribe to Cloud NGFW for AWS
- Locate Your Cloud NGFW for AWS Serial Number
- Cross-Account Role CFT Permissions for Cloud NGFW
- Invite Users to Cloud NGFW for AWS
- Manage Cloud NGFW for AWS Users
- Deploy Cloud NGFW for AWS with the AWS Firewall Manager
- Enable Programmatic Access
- Terraform Support for Cloud NGFW AWS
- Provision Cloud NGFW Resources to your AWS CFT
- Usage Explorer
- Create a Support Case
-
-
- Prepare for Panorama Integration
- Link the Cloud NGFW to Palo Alto Networks Management
- Unlink the Cloud NGFW from Palo Alto Networks Management
- Associate a Linked Panorama to the Cloud NGFW Resource
- Use Panorama for Cloud NGFW Policy Management
- View Cloud NGFW Logs and Activity in Panorama
- View Cloud NGFW Logs in Cortex Data Lake
- Tag Based Policies
-
Set Up Inbound Decryption on Cloud NGFW for AWS
Cloud NGFW uses SSL Inbound Decryption to
inspect and decrypt inbound SSL/TLS traffic from a client to a targeted
network server (any server you have the certificate for and can
import onto the firewall) and block suspicious sessions. The firewall
acts as a proxy between the external client and the internal server
and generates a new session key for each secure session. The firewall
creates a secure session between the client and the firewall and
another secure session between the firewall and the server to decrypt
and inspect the traffic. However, Cloud NGFW keeps your traffic
packet headers and payload intact, providing complete visibility
of the source’s identity to your applications in your VPCs.
Your certificate and session
key are stored on the AWS secrets manager to
perform SSL inbound inspection. The firewall validates that the
certificate sent by the targeted server during the SSL/TLS handshake
matches a certificate in your decryption policy rule. If there is
a match, the firewall forwards the server's certificate to the client
requesting server access and establishes a secure connection.
- SelectRulestacksand select a previously-created rulestack which to apply the certificate.
- SelectRules, thenCreatea newSecurity Rulefor decryption.
- Provide the following details underGeneral.
- Name—Name of the rule.
- Description—A description for the rule.
- Rule Priority—A unique priority for the rule.
- Enabled—Enable the field to associate the rulestack with the rule. This field is enabled by default.
- Define matching criteria for theSourceandDestinationIP address fields.
- ConfigureGranular Controls.
- Specify theApplications(App-ID™)you want the rule to allow or block.You can create TLS decryption rules withApplications(App-ID™)—AnyorSSL—Matchonly.
- Specify aURL Categoryas match criteria for the rule.
- Specify theProtocol and Portsyou want the rule to allow or block.
- Specify theActionyou want the firewall to take when the traffic matches one of the rules you created.
- Allow—Allow traffic.
- Deny—Block traffic and enforce the defaultDeny Actiondefined for the application that is being denied.
- Reset Server—Sends the TCP reset to the server-side device.
- Reset Both—Sends a TCP reset to both client and server-side devices.
- UnderTLS Decryption, selectInboundand select anInbound Inspection Certificate.Create a certificate if you have not done so already. The Amazon Resource Name (ARN) of the secret must be used in the certificate ARN when creating the certificate object.The certificate and private key are stored in the AWS Secrets Manager (ASM), and the Application Load Balancer (ALB) uses these information to decrypt the traffic. The certificate need not be a CA certificate. If the certificate is a chain, use the leaf certificate and key.PKCS8 is the supported certificate format.Inbound decryption does not support self-signed certificates.The decryption profile for TLS decryption is set to Best Practice Security Policy. See decrypt traffic for full visibility and threat inspection for more information.
- ClickEnabledto enable logging.
- ClickSave.
- Clickto save the rule to the running configuration the firewall.Config ActionsDeploy ConfigurationCommit