Set Up Outbound Decryption on Cloud NGFW for Azure
Table of Contents
Expand all | Collapse all
-
- Cloud NGFW for Azure
- Cloud NGFW Components
- Cloud NGFW for Azure Supported Regions
- Cloud NGFW for Azure Limits and Quotas
- Cloud NGFW for Azure Pricing
- Cloud NGFW for Azure Free Trial
- Cloud NGFW Credit Distribution and Management
- Start with Cloud NGFW for Azure
- Manage Cloud NGFW Roles for Azure Users
- Integrate Single Sign-on
- Monitor Cloud NGFW Health
- Create a Support Case
- Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account
- Cloud NGFW for Azure Certifications
- Cloud NGFW For Azure Privacy and Data Protection
-
- About Rulestacks and Rules on Cloud NGFW for Azure
- Create a Rulestack on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Rule Objects
- Create a Prefix List on Cloud NGFW for Azure
- Create an FQDN List for Cloud NGFW on Azure
- Add a Certificate to Cloud NGFW for Azure
- Create Security Rules on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Services
- Enable DNS Security on Cloud NGFW for Azure
- Set Up Outbound Decryption on Cloud NGFW for Azure
- Set Up Inbound Decryption on Cloud NGFW for Azure
-
- Panorama Integration
- Panorama Integration Prerequisites
- Link the Cloud NGFW to Palo Alto Networks Management
- Use Panorama for Cloud NGFW Policy Management
- Enable User-ID on the Cloud NGFW for Azure
- Configure Service Routes for On-Prem Services
- Use XFF IP Address Values in Policy
- View Cloud NGFW Logs and Activity in Panorama
- Strata Cloud Manager Policy Management
-
- Configure Logging for Cloud NGFW on Azure
- Cloud NGFW for Azure Traffic Log Fields
- Cloud NGFW for Azure Threat Log Fields
- Cloud NGFW for Azure Decryption Log Fields
- Enable Log Settings
- Disable Log Settings
- Enable Activity Logging on Cloud NGFW for Azure
- Multiple Logging Destinations on Cloud NGFW for Azure
- View the Logs
- View Audit Logs on a Firewall Resource
- View Audit Logs on Resource Groups
- What's New
- Cloud NGFW for Azure Known Issues
- Cloud NGFW for Azure Addressed Issues
Set Up Outbound Decryption on Cloud NGFW for Azure
Setup outbound decryption.
With Outbound decryption, Cloud NGFW behaves like an SSL Forward Proxy, and uses its associated
certificates to establish itself as a trusted third party (man-in-the-middle) for
the client-server session. However, Cloud NGFW keeps your traffic packet headers and
payload intact, providing complete visibility of the source’s identity to your
destinations.
PAN-OS version 11.0.x is required when
using Azure Key Vault for outbound decryption.
Outbound decryption uses two certificate objects - Trust and Untrust. The NGFW
presents the trust certificate to clients during SSL decryption if the client is
attempting to connect to a server that has a certificate signed by a trusted
certificate authority (CA). Alternatively, the NGFW presents the untrust certificate
to the client attempting to connect to a server that has a certificate signed by a
CA that the NGFW does not trust.
You can configure the NGFW resource to decrypt the SSL traffic leaving your VNet or
subnet. You can then enforce App-ID and security settings on the plaintext traffic,
including Antivirus, Vulnerability, Anti-Spyware, URL Filtering, and File-Blocking
profiles. After decrypting and inspecting traffic, the firewall re-encrypts the
plaintext traffic as it exits the firewall to ensure privacy and security.
This procedure only defines the certificates that the firewall uses for Outbound TLS
Decryption. You must enable Outbound TLS Decryption during rules creation .
- Select Rulestacks and select a previously-created rulestack which to apply the certificate.Select Security ProfilesEgress Decryption.Select a certificate.
- Select an Untrust Certificate.
- Select an Trust Certificate.
Add a Certificate to Cloud NGFW for Azure if you have not done so already.The certificate and private key are stored in the Azure Key Vault, and the workload uses this information to decrypt the traffic.The certificate must be a CA certificate. Set the CA value in the Basic Constraints must be set to TRUE. The following is an example private CA certificate.Certificate: Data: Version: 3 (0x2) Serial Number: 4121 (0x1019) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=Example Company Root CA, OU=Corp, CN=www.example.com/emailAddress=corp@www.example.com Validity Not Before: Feb 26 20:27:56 2018 GMT Not After : Feb 24 20:27:56 2028 GMT Subject: C=US, ST=WA, L=Seattle, O=Examples Company Subordinate CA, OU=Corporate Office, CN=www.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c0: ... a3:4a:51 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: F8:84:EE:37:21:F2:5E:0B:6C:40:C2:9D:C6:FE:7E:49:53:67:34:D9 X509v3 Authority Key Identifier: keyid:0D:CE:76:F2:E3:3B:93:2D:36:05:41:41:16:36:C8:82:BC:CB:F8:A0 X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, CRL Sign Signature Algorithm: sha256WithRSAEncryption 6:bb:94: ... 80:d8If you are using an End-Entity certificate for decrypting traffic, only the End Entity Cert with public and private key must be stored in the Azure Key Vault.PKCS8 is the supported certificate format.Trust certificates cannot be self-signed, but the untrust certificate can be self signed or ca-signed.Navigate to the previously created Rulestack and go to the Managed Identity page.From Enable MI dropdown menu, select the managed identity that was associated with the key vault.Click Save.