Configure SSL Forward Proxy

Table of Contents

Fetch Certificates from Authority Information Access (AIA) URL

Configure SSL Forward Proxy

SSL Forward Proxy decryption enables the Next-Generation to see potential threats in outbound encrypted traffic and apply security protections against those threats.

Where Can I Use This?	What Do I Need?
All NGFW deployments, including those funded by software NGFW credits All Prisma Access deployments	No separate license required for decryption when using NGFWs or Prisma Access. Note: The features and capabilities available to you in Strata Cloud Manager depend on your active license(s).

To enable SSL Forward Proxy decryption, set up the certificates required to establish the Next-Generation Firewall (NGFW) as a trusted third party (proxy) to the session between the client and the server. You can use certificates signed by an enterprise certificate authority (CA) or self-signed certificates generated on the NGFW as Forward Trust certificates to authenticate the SSL/TLS session with the client.

(Best Practice) Enterprise CA-signed Certificates—An enterprise CA can issue a signing certificate that an NGFW uses to sign the certificates for sites requiring SSL/TLS decryption. When the NGFW trusts the CA that signed the certificate of the destination server, it can send a CA-signed copy of the destination server certificate to the client.
This is a best practice because it streamlines the rollout process. Network devices typically trust the enterprise CA already (it is usually installed in the devices’ CA trust storage), so you don’t need to deploy the certificate on endpoints.
Self-signed Certificates—An NGFW can act as a CA and generate self-signed certificates that it uses to sign the certificates for sites requiring SSL/TLS decryption. The NGFW signs a copy of the server certificate to present to the client and establish an SSL session. This method requires installation of the self-signed certificates on all network devices, so that those devices recognize the self-signed certificates. Self-signed certificates are better for small deployments and proof of concept (PoC) trials because of the need to install certificates on all devices.

Additionally, set up a Forward Untrust certificate for the NGFW to present to clients when the server certificate is signed by a CA that the NGFW doesn't trust. This ensures that clients receive a certificate warning when attempting to access sites with untrusted certificates.

Generate separate subordinate Forward Trust CA certificates for each NGFW, regardless of if you use enterprise-CA signed or self-signed certificates. This practice offers several benefits:

Enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment.
Reduces the impact in any situation requiring revocation of a certificate.
Improves troubleshooting because the CA error message the user sees includes information about the NGFW the traffic is traversing. If you use the same Forward Trust CA, you lose the granularity of that information.

After setting up Forward Trust and Forward Untrust certificates, create a decryption policy rule to define the traffic you want to decrypt. Next, create a decryption profile to apply additional SSL/TLS controls and checks to the defined traffic. Traffic that matches the rule is converted to cleartext. The NGFW blocks and restricts traffic based on the decryption profile and Security policy rules, then re-encrypts the traffic as it exits the NGFW.

When you configure SSL Forward Proxy, the proxied traffic does not support DSCP code points or QoS.

Configure SSL Forward Proxy (Strata Cloud Manager)

Verify that the appropriate interfaces are configured as either virtual wire, Layer 2, or Layer 3 interfaces.

To view the configured interfaces, select ConfigurationNGFW and Prisma AccessDevice SettingsInterfaces.
Configure the Forward Trust certificate that the NGFW presents to clients when a trusted CA has signed the server certificate.
(Best Practice) Use an enterprise CA-signed certificate as the Forward Trust certificate.
1. Generate a certificate signing request (CSR) for the enterprise CA to sign and validate:
  1. Select ConfigurationNGFW and Prisma AccessObjectsCertificate Management.
  2. Click Generate to add a custom certificate.
  3. Enter a Certificate Name. Use a unique name for each NGFW.
  4. For Signed By, select External Authority (CSR).
  5. For Certificate Use For, select Forward Trust Certificate.
  6. Specify Cryptographic Settings: Algorithm, Number of Bits, Digest, and Expiration.
  7. (Optional) Add Certificate Attributes, such as Country or Department, to identify the NGFW.
  8. (Optional) Select an OCSP Responder.
  9. Save the CSR.
    The pending certificate displays under Custom Certificates.
2. Export the CSR:
  1. Under Custom Certificates, select the pending certificate, and then click Export Certificate.
  2. Click Export to download and save the certificate file.
  3. Select a Format for the certificate, and Save the setting to download the certificate file.
  4. Provide the certificate file to your enterprise CA. When you receive the enterprise CA-signed certificate, save it onto your system.
3. Import the enterprise CA-signed certificate onto Strata Cloud Manager.
  An Import Certificate dialog appears.
  1. Enter the pending Certificate Name exactly.
    
    The Certificate Name that you enter must exactly match the pending certificate name for the pending certificate to be validated.
  2. Select the signed Certificate File that you received from your enterprise CA.
  3. (Optional) Browse and select a Key File.
  4. (Optional) Enter a Passphrase, then Confirm Passphrase
  5. Click Save to import the signed certificate.
4. Select the validated certificate and for Certificate Use For, select Forward Trust Certificate.
5. Click Update to confirm your changes.
Use a self-signed certificate as the Forward Trust certificate:
1. Create a self-signed root CA certificate.
  1. Select ConfigurationNGFW and Prisma Access ObjectsCertificate Management.
  2. Generate a certificate.
  3. Enter a unique Certificate Name.
  4. Enter a Common Name. This should be the FQDN (recommended) or IP address of the interface where you will configure the service that will use this certificate.
  5. Leave Signed By blank.
  6. For Certificate Use For, select Forward Trust Certificate.
  7. Specify Cryptographic Settings: Algorithm, Number of Bits, Digest, and Expiration.
  8. Leave the OCSP Responder field blank. Revocation status verification doesn’t apply to root CA certificates.
  9. (Optional) Add Certificate Attributes, such as Country or Department, to identify the NGFW.
  10. Click Save to generate the certificate.
2. Designate the certificate as a trusted root CA.
  1. Click the certificate in the Custom Certificates list (ConfigurationNGFW and Prisma AccessObjectsCertificate Management).
    Certificate settings and details appear.
  2. For Certificate Use for, select Trusted Root CA.
  3. Save the certificate.
3. Generate new subordinate CA certificates for each NGFW:
  1. Select ConfigurationNGFW and Prisma AccessObjectsCertificate Management.
  2. Click Generate.
  3. Enter a Certificate Name.
  4. Enter a Common Name. This should be the FQDN (recommended) or IP address that appears in the certificate.
  5. For Signed By, select the self-signed root CA certificate that you created.
  6. For Certificate Use For, select Forward Trust Certificate.
  7. Select Certificate Authority to enable the NGFW to issue the certificate. This creates a certificate authority (CA) that is imported to client browsers, so clients trust the NGFW as a CA.
  8. Specify Cryptographic Settings: Algorithm, Number of Bits, Digest, and Expiration.
  9. (Optional) Add Certificate Attributes, such as Country or Department, to further identify the NGFW.
  10. Click Save to generate the certificate.
  11. Repeat this procedure for each NGFW.
Distribute the Forward Trust certificate to client system certificate stores.

Skip this step if you're using an enterprise-CA signed certificate as the Forward Trust certificate and the client systems already have the enterprise CA installed in the local trusted root CA list. (The client systems trust the subordinate CA certificates you generate on the NGFW because the enterprise trusted root CA has signed them.)

If you don’t install the Forward Trust certificate on client systems, users see certificate warnings for each SSL site they visit.

On an NGFW configured as a GlobalProtect portal:

This option is supported with Windows and Mac client OS versions, and requires GlobalProtect app 3.0.0 or later to be installed on the client systems.
1. Select NetworkGlobalProtectPortals and then select an existing portal configuration or Add a new one.
2. Select Agent and then select an existing agent configuration or Add a new one.
3. Add the self-signed trusted root CA certificate to the Trusted Root CA section. After GlobalProtect distributes the trusted root CA certificate to client systems, the client systems trust the NGFW's subordinate CA certificates because the clients trust the NGFW's root CA certificate.
4. Install in Local Root Certificate Store so that the GlobalProtect portal automatically distributes the certificate and installs it in the certificate store on GlobalProtect client systems.
5. Click OK twice.
Without GlobalProtect:

Export the trusted root CA certificate so that you can import it into client systems. Highlight the certificate and click Export at the bottom of the window. Choose the PEM format.

Don’t select Export private key. The private key should remain on the NGFW and not be exported to client systems.

Import the trusted root CA certificate into the browser Trusted Root CA list on the client systems for the clients to trust it. When importing into the client browser, ensure that you add the certificate to the Trusted Root Certification Authorities certificate store. On Windows systems, the default import location is the Personal certificate store. You can also simplify this process by using a centralized deployment option, such as an Active Directory Group Policy Object (GPO).
Configure the Forward Untrust certificate (use the same Forward Untrust certificate for each NGFW).
1. Select ConfigurationNGFW and Prisma AccessObjectsCertificate Management.
2. Generate a certificate.
3. Enter a unique Certificate Name.
4. Enter a Common Name. This should be the FQDN (recommended) or IP address that appears in the certificate.
5. Leave Signed By blank.
6. For Certificate Use For, select Forward Untrust Certificate.
7. Specify Cryptographic Settings: Algorithm, Number of Bits, Digest, and Expiration.
8. (Optional) Add Certificate Attributes, such as Country or Department, to further identify the NGFW.
9. (Optional) Select an OCSP Responder.
10. Click Save.
  
  Don't export the Forward Untrust certificate to the certificate trust lists of your network devices. Don't install the Forward Untrust certificate on client systems. Installing the Untrust certificate in the Trust List results in devices trusting websites that the NGFW doesn't trust. In addition, users won’t see certificate warnings for untrusted sites, so they may access those sites, which could expose your network to threats.
(Optional) Configure the key size for the SSL Forward Proxy server certificates that the NGFW presents to clients.

By default, the NGFW determines the key size to use based on the key size of the destination server certificate.
Create a decryption policy rule to define criteria that traffic must match for SSL Forward Proxy decryption.
- In the Action and Advanced Inspection section, for Action, select Decrypt.
- For decryption Type, select SSL Forward Proxy.
- (Optional but a best practice) Configure or select a Decryption Profile to block and control various aspects of matching traffic.
  For example, create a decryption profile or select one that performs certificate checks and blocks weak cipher suites and protocols from allowing questionable traffic on your network.
- Save the decryption policy rule.
To start enforcing the rule, select Push ConfigPush.
Choose your next step:
- Enable users to opt out of SSL decryption.
- Configure decryption exclusions to disable decryption for certain types of traffic.
- (Advanced WildFire subscriptions only) Forward decrypted SSL traffic for WildFire analysis.

Configure SSL Forward Proxy (PAN-OS & Panorama)

Confirm that the appropriate interfaces are configured as either virtual wire, Layer 2, or Layer 3 interfaces.

Select NetworkInterfacesEthernet, and then check the Interface Type column for Virtual Wire, Layer 2, or Layer 3. Select an Interface to modify its configuration.
Configure the Forward Trust certificate that the NGFW presents to clients after a trusted CA signs the server certificate.
- (Best Practice) Use an enterprise CA-signed certificate as the Forward Trust certificate:
  1. Create a certificate signing request (CSR) for the enterprise CA:
    Select DeviceCertificate ManagementCertificatesCustom Certificates (Device Certificates in PAN-OS 11.2 and earlier), and then click Generate.
    Enter a unique Certificate Name.
    Enter a Common Name. This should be the IP address or FQDN that appears in the certificate. Avoid using spaces in this field.
    For Signed By, select External Authority (CSR).
    (Optional) Add Certificate Attributes, such as Country or Department, to identify the NGFW.
    To save the CSR, click Generate.
    The Custom Certificates list displays the CSR with a Status of pending.
  2. Export the CSR.
    From the Custom Certificates list, select the pending certificate, and then click Export Certificate.
    The CSR downloads.
    Save the CSR.
  3. Submit the certificate request to the enterprise CA.
    After receiving the signed certificate, save it to your system.
  4. (Required for Clients Running Windows or Windows Server) Generate a subordinate CA certificate.
    Submit a certificate request that uses the Subordinate Certification Authority certificate template based on the CSR that you previously exported.
    Download the certificate chain.
    
    Configure Missing Subordinate Certificate Authority Template
    The Subordinate Certificate Authority template may be unavailable for reasons such as a failed migration or missing permissions. Try the following procedure to configure the missing template:
    Launch the Certificate Manager tool. From the Command Line, PowerShell, or Run, enter certsrv.msc.
    
    Under the Certificate Authority (Local) header, right-click Certificate Templates. Then, click New Certificate Template to Issue.
    
    The Enable Certificate Templates dialog appears.
    Select Subordinate Certificate Authority from the list of templates, and then click OK.
    
    The Subordinate Certificate Authority gets added to the list of certificate templates.
  5. Import the enterprise CA-signed certificate and subordinate CA certificate (if applicable) onto the NGFW.
    Select DeviceCertificate ManagementCertificates Custom Certificates, and then click Import.
    An Import Certificate dialog appears.
    Enter the Certificate Name as it appears in the CSR. For successful validation, the name must match the pending certificate name exactly.
    Browse for the Certificate File.
    Click OK.
    The Custom Certificates tab displays the certificate with a Status of valid and the Key and CA check boxes selected.
    Repeat the import steps for the subordinate CA certificate.
  6. Designate a Forward Trust Certificate.
    If you don't have a subordinate CA certificate:
    From the Custom Certificates list, select the enterprise CA-signed certificate.
    The Certificate information dialog opens.
    Select the Forward Trust Certificate option.
    Click OK.
    (Windows or Windows Server users) Mark only the subordinate CA certificate as the Forward Trust certificate , and then click OK.
- Use a self-signed certificate as the Forward Trust certificate:
  Generate a self-signed root CA certificate.
  The certificate is automatically saved to the Custom Certificates (Device Certificates in PAN-OS 11.2 and earlier) list.
  Designate the certificate as the trusted root CA certificate.
  Select the self-signed certificate from the Custom Certificates list (DeviceCertificate ManagementCertificatesCustom Certificates).
  The Certificate information dialog opens.
  Select the Trusted Root CA option.
  Click OK.
  Generate a new subordinate CA certificate for each NGFW:
  Select DeviceCertificate ManagementCertificates Custom Certificates, and then click Generate.
  Enter a unique Certificate Name.
  Enter a Common Name. This should be the IP address or FQDN that appears in the certificate. Avoid using spaces in this field.
  For Signed By, select the self-signed root CA certificate.
  Select the Certificate Authority option.
  This option enables the NGFW to issue the certificate.
  Generate the certificate.
  Repeat for each NGFW.
Distribute the Forward Trust certificate to client system certificate stores.
SKIP THIS STEP if you're using an enterprise-CA signed certificate as the Forward Trust certificate and the client systems already have the enterprise CA installed in their local trusted root CA list. (The client systems trust the subordinate CA certificates generated on the NGFW because the enterprise trusted root CA has signed them.)

If you don't install the Forward Trust certificate on client systems, users see certificate warnings for each SSL site they visit.
- On an NGFW configured as a GlobalProtect portal:
  
  This option is supported with Windows and Mac client OS versions, and requires installation of GlobalProtect app 3.0.0 or later on the client systems.
  1. Select NetworkGlobalProtectPortals, and then select an existing portal configuration or Add a new one.
  2. Select Agent, and then select an existing agent configuration or Add a new one.
  3. Add the self-signed trusted root CA certificate to the Trusted Root CA section.
    After GlobalProtect distributes the trusted root CA certificate to client systems, the client systems trust the NGFW's subordinate CA certificates because the clients trust the root CA certificate.
  4. Install in Local Root Certificate Store to enable the GlobalProtect portal to automatically distribute and install the certificate in the certificate store on GlobalProtect client systems.
  5. Click OK twice.
- Without GlobalProtect:
  1. Export the NGFW trusted root CA certificate so you can import it to client systems. Highlight the certificate, and then Export it in PEM format.
    
    Don't select the Export private key checkbox. The private key should remain on the NGFW and not be exported to client systems.
  2. Import the trusted root CA certificate into the browser Trusted Root CA list on the client systems.
    When importing, ensure that you add the certificate to the Trusted Root Certification Authorities certificate store. On Windows systems, the default import location is the Personal certificate store. You can also simplify this process by using a centralized deployment option, such as an Active Directory Group Policy Object (GPO).
Configure the Forward Untrust certificate.
Use the same Forward Untrust certificate for each NGFW. Clients receive a certificate warning when attempting to access sites with untrusted certificates.
Don't export the Forward Untrust certificate to the certificate trust lists of your network devices.
Don't install the Forward Untrust certificate on client systems. Installing the Untrust certificate in the Trust List results in devices trusting websites that the NGFW doesn't trust. In addition, users won’t see certificate warnings for untrusted sites, so they may access those sites, which could expose your network to threats.
1. Select DeviceCertificate ManagementCertificates Custom Certificates, and then click Generate.
2. Enter a Certificate Name.
3. Enter a Common Name. Leave Signed By blank.
4. Select the Certificate Authority option.
5. Generate the certificate.
6. Designate the certificate as the Forward Untrust certificate.
  Select DeviceCertificate ManagementCertificatesCustom Certificates, and then select the Forward Untrust certificate.
  The Certificate information dialog opens.
  Select the Forward Untrust Certificate option.
  Click OK.
(Optional) Configure the key size for the SSL Forward Proxy server certificates that the NGFW presents to clients.
By default, the NGFW determines the key size to use based on the key size of the destination server certificate.
Create a decryption policy rule for SSL Forward Proxy.
1. Select PoliciesDecryption, add or modify an existing rule, and define traffic to be decrypted.
2. Select Options and:
  For Action, select Decrypt.
  For Type, select SSL Forward Proxy.
  (Optional but a best practice) Configure or select an existing Decryption Profile to block and control various aspects of the decrypted traffic.
  For example, create a decryption profile or select one that performs certificate checks and blocks weak cipher suites and protocols from allowing questionable traffic on your network.
3. Click OK.
Commit your changes.
Choose your next step:
- Enable users to opt out of SSL decryption.
- Configure decryption exclusions to disable decryption for certain types of traffic.
- (Advanced WildFire® subscriptions only) Forward decrypted SSL traffic for WildFire analysis.