Decryption Administration
  • Decryption Administration
  • Network Security Documentation
  • All Documentation
>
Configure SSL Forward Proxy (PAN-OS)
Focus
Download PDF
Focus
  1. Home
  2. Network Security
  4. Enable Decryption
  5. Configure SSL Forward Proxy
  6. Configure SSL Forward Proxy (PAN-OS)
Download PDF
Network Security

Configure SSL Forward Proxy (PAN-OS)

Table of Contents
  1. Verify that the appropriate interfaces are configured as either virtual wire, Layer 2, or Layer 3 interfaces.
    To view the configured interfaces, select NetworkInterfacesEthernet tab. The Interface Type column displays if an interface is configured to be a Virtual Wire or Layer 2, or Layer 3 interface. You can select an interface to modify its configuration, including what type of interface it is.
  2. Configure the Forward Trust certificate that the NGFW presents to clients when a trusted CA has signed the server certificate.
    (Recommended Best Practice) Use an enterprise CA-signed certificate as the Forward Trust certificate.
    1. Generate a certificate signing request (CSR) for the enterprise CA to sign and validate:
      1. Select DeviceCertificate ManagementCertificates and click Generate.
      2. Enter a Certificate Name. Use a unique name for each NGFW.
      3. In the Signed By drop-down, select External Authority (CSR).
      4. (Optional) If your enterprise CA requires it, add Certificate Attributes to further identify the NGFW details, such as Country or Department.
      5. Click Generate to save the CSR. The pending certificate displays on the Device Certificates tab.
    2. Export the CSR:
      1. Select the pending certificate displayed on the Device Certificates tab.
      2. Click Export to download and save the certificate file.
        Leave Export private key unselected to ensure that the private key remains securely on the NGFW.
      3. Click OK.
    3. Provide the certificate file to your enterprise CA. When you receive the enterprise CA-signed certificate, save it onto your system.
    4. Import the enterprise CA-signed certificate onto the NGFW:
      1. Select DeviceCertificate ManagementCertificates and click Import.
      2. Enter the pending Certificate Name exactly.
        The Certificate Name that you enter must exactly match the pending certificate name for the pending certificate to be validated.
      3. Select the signed Certificate File that you received from your enterprise CA.
      4. Click OK. The certificate is displayed as valid with the Key and CA checkboxes selected.
    5. Select the validated certificate to enable it as a Forward Trust Certificate.
    6. Click OK to save the enterprise CA-signed forward trust certificate.
    Use a self-signed certificate as the Forward Trust certificate:
    1. Create a self-signed root CA certificate.
    2. Click the self-signed root CA certificate (DeviceCertificate ManagementCertificatesDevice Certificates) to open Certificate information and then click the Trusted Root CA checkbox.
    3. Click OK.
    4. Generate new subordinate CA certificates for each NGFW:
      1. Select DeviceCertificate ManagementCertificates.
      2. Click Generate at the bottom of the window.
      3. Enter a Certificate Name.
      4. Enter a Common Name, such as 192.168.2.1. This should be the IP address or FQDN that will appear in the certificate. In this example, we are using the IP address of the trust interface. Avoid using spaces in this field.
      5. In the Signed By field, select the self-signed root CA certificate that you created.
      6. Select the Certificate Authority check box to enable the NGFW to issue the certificate. Selecting this check box creates a certificate authority (CA) on the NGFW that is imported to the client browsers, so clients trust the NGFW as a CA.
      7. Generate the certificate.
    5. Click the new certificate to modify it and click the Forward Trust Certificate checkbox to configure the certificate as the Forward Trust Certificate.
    6. Click OK to save the self-signed forward trust certificate.
    7. Repeat steps
      2.d
      ,
      2.e
      , and
      2.f
      for eachNGFW.
  3. Distribute the Forward Trust certificate to client system certificate stores.
    Skip this step if you are using an enterprise-CA signed certificate as the Forward Trust certificate for SSL Forward Proxy decryption and the client systems already have the enterprise CA installed in the local trusted root CA list. (The client systems trust the subordinate CA certificates you generate on the NGFW because the enterprise trusted root CA has signed them.)
    If you do not install the Forward Trust certificate on client systems, users see certificate warnings for each SSL site they visit.
    On an NGFW configured as a GlobalProtect portal:
    This option is supported with Windows and Mac client OS versions, and requires GlobalProtect agent 3.0.0 or later to be installed on the client systems.
    1. Select NetworkGlobalProtectPortals and then select an existing portal configuration or Add a new one.
    2. Select Agent and then select an existing agent configuration or Add a new one.
    3. Add the self-signed trusted root CA certificate to the Trusted Root CA section. After GlobalProtect distributes the NGFW's trusted root CA certificate to client systems, the client systems trust the NGFW’s subordinate CA certificates because the clients trust the NGFW’s root CA certificate.
    4. Install in Local Root Certificate Store so that the GlobalProtect portal automatically distributes the certificate and installs it in the certificate store on GlobalProtect client systems.
    5. Click OK twice.
    Without GlobalProtect:
    Export the NGFW trusted root CA certificate so that you can import it into client systems. Highlight the certificate and click Export at the bottom of the window. Choose the PEM format.
    Don’t select the Export private key checkbox. The private key should remain on the NGFW and not be exported to client systems.
    Import the NGFW’s trusted root CA certificate into the browser Trusted Root CA list on the client systems for the clients to trust it. When importing into the client browser, ensure that you add the certificate to the Trusted Root Certification Authorities certificate store. On Windows systems, the default import location is the Personal certificate store. You can also simplify this process by using a centralized deployment option, such as an Active Directory Group Policy Object (GPO).
  4. Configure the Forward Untrust certificate (use the same Forward Untrust certificate for each NGFW).
    1. Click Generate at the bottom of the certificates page.
    2. Enter a Certificate Name, such as my-ssl-fwd-untrust.
    3. Set the Common Name, for example 192.168.2.1. Leave Signed By blank.
    4. Click the Certificate Authority check box to enable the NGFW to issue the certificate.
    5. Generate the certificate.
    6. Click OK to save.
    7. Click the new certificate to modify it and enable the Forward Untrust Certificate option.
      Don’t export the Forward Untrust certificate to the certificate trust lists of your network devices. Don’t install the Forward Untrust certificate on client systems. This is critical because installing the Untrust certificate in the trust list results in devices trusting websites that the NGFW does not trust. In addition, users won’t see certificate warnings for untrusted sites, so they won’t know the sites are untrusted and may access those sites, which could expose your network to threats.
    8. Click OK to save.
  5. (Optional) Configure the key size for the SSL Forward Proxy server certificates that the NGFW presents to clients.
    By default, the NGFW determines the key size to use based on the key size of the destination server certificate.
  6. Create a decryption policy rule to define criteria that traffic must match for SSL Forward Proxy decryption.
    1. Select PoliciesDecryption, Add or modify an existing rule, and define traffic to be decrypted.
    2. Select Options and:
      • For the rule Action, select Decrypt.
      • For Type, select SSL Forward Proxy.
      • (Optional but a best practice) Configure or select an existing Decryption Profile to block and control various aspects of the decrypted traffic.
        For example, create a decryption profile or select one that performs certificate checks and blocks weak cipher suites and protocols from allowing questionable traffic on your network.
    3. Click OK to save.
  7. Commit your changes.
  8. Choose your next step:

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.