Set Up Inbound Decryption on Cloud NGFW for Azure
Table of Contents
Expand all | Collapse all
-
- Cloud NGFW for Azure
- Cloud NGFW Components
- Cloud NGFW for Azure Supported Regions
- Cloud NGFW for Azure Limits and Quotas
- Cloud NGFW for Azure Pricing
- Cloud NGFW for Azure Free Trial
- Cloud NGFW Credit Distribution and Management
- Start with Cloud NGFW for Azure
- Manage Cloud NGFW Roles for Azure Users
- Integrate Single Sign-on
- Monitor Cloud NGFW Health
- Create a Support Case
- Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account
- Cloud NGFW for Azure Certifications
- Cloud NGFW For Azure Privacy and Data Protection
-
- About Rulestacks and Rules on Cloud NGFW for Azure
- Create a Rulestack on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Rule Objects
- Create a Prefix List on Cloud NGFW for Azure
- Create an FQDN List for Cloud NGFW on Azure
- Add a Certificate to Cloud NGFW for Azure
- Create Security Rules on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Services
- Enable DNS Security on Cloud NGFW for Azure
- Set Up Outbound Decryption on Cloud NGFW for Azure
- Set Up Inbound Decryption on Cloud NGFW for Azure
-
- Panorama Integration
- Panorama Integration Prerequisites
- Link the Cloud NGFW to Palo Alto Networks Management
- Use Panorama for Cloud NGFW Policy Management
- Enable User-ID on the Cloud NGFW for Azure
- Configure Service Routes for On-Prem Services
- Use XFF IP Address Values in Policy
- View Cloud NGFW Logs and Activity in Panorama
- Strata Cloud Manager Policy Management
-
- Configure Logging for Cloud NGFW on Azure
- Cloud NGFW for Azure Traffic Log Fields
- Cloud NGFW for Azure Threat Log Fields
- Cloud NGFW for Azure Decryption Log Fields
- Enable Log Settings
- Disable Log Settings
- Enable Activity Logging on Cloud NGFW for Azure
- Multiple Logging Destinations on Cloud NGFW for Azure
- View the Logs
- View Audit Logs on a Firewall Resource
- View Audit Logs on Resource Groups
- What's New
- Cloud NGFW for Azure Known Issues
- Cloud NGFW for Azure Addressed Issues
Set Up Inbound Decryption on Cloud NGFW for Azure
Setup inbound decryption.
Cloud NGFW uses SSL Inbound Decryption to inspect and
decrypt inbound SSL/TLS traffic from a client to a targeted network server (any
server you have the certificate for and can import onto the firewall) and block
suspicious sessions. The firewall acts as a proxy between the external client and
the internal server and generates a new session key for each secure session. The
firewall creates a secure session between the client and the firewall and another
secure session between the firewall and the server to decrypt and inspect the
traffic. However, Cloud NGFW keeps your traffic packet headers and payload intact,
providing complete visibility of the source’s identity to your applications in your
VNets.
You must concatenate the web certificate and private key as a single
pem or pfx file and upload it to the Azure Key Vault to perform SSL
inbound inspection. The firewall validates that the certificate sent by the targeted
server during the SSL/TLS handshake matches a certificate in your decryption policy
rule. If there is a match, the firewall forwards the server's certificate to the
client requesting server access and establishes a secure connection.
You must not upload the certificate and key separately to the Azure key
vault.
- Select Rulestacks and select a previously-created rulestack which to apply the certificate.Select Rules, then Create a new Security Rule for decryption.Provide the following details under General.
- Name—Name of the rule.
- Description—A description for the rule.
- Priority—A unique priority for the rule.
- Enabled—Enable the field to associate the rulestack with the rule. This field is enabled by default.
Define matching criteria for the Source and Destination IP address fields.Configure Granular Controls.- Specify the Application Match Criteria you want the rule to allow
or block.You can create TLS decryption rules with Applications—Any or SSL—Match only.
- Specify a URL Category as match criteria for the rule.
- Specify the Protocol and Ports you want the rule to allow or block.Step 6 Specify the A
- Allow—Allow traffic.
- Drop—Block traffic and enforce the default drop action defined for the application that is being denied.
- Reset Server—Sends the TCP reset to the server-side device.
- Reset Both—Sends a TCP reset to both client and server-side devices.
Under TLS Decryption, select Inbound and select an Inbound Inspection Certificate.- Create a certificate if you have not done so already. The Azure Resource Name (ARN) of the secret must be used in the certificate ARN when creating the certificate object.
- PKCS8 is the supported certificate format.
- Inbound decryption supports self-signed and root CA signed certificates and does not support chained certificates.
- The decryption profile for TLS decryption is set to Best Practice Security Policy. See decrypt traffic for full visibility and threat inspection for more information.
Select Logging to enable logging.Click Validate.Click Config ActionsDeploy ConfigurationCommit to save the rule to the running configuration of the firewall.