Configure SSL Inbound Inspection
Focus
Focus
Network Security

Configure SSL Inbound Inspection

Table of Contents

Configure SSL Inbound Inspection

Decrypt and inspect inbound SSL/TLS traffic for potential threats and apply security protections against those threats.
Where Can I Use This?What Do I Need?
No separate license required for decryption when using NGFWs or Prisma Access.
Note: The features and capabilities available to you in Strata Cloud Manager depend on your active license(s).
You can decrypt and inspect SSL/TLS traffic destined for internal servers. SSL Inbound Inspection provides visibility into network activity, enabling effective monitoring and handling of traffic that may be risky but is not outright blocked. To enable SSL Inbound Inspection, install the server certificate and private key of each server you want to protect, and create a decryption policy rule for SSL Inbound Inspection. If you store the certificates and private keys of these servers on a hardware security module (HSM), you don't need to install the server certificate and private key on the Next-Generation Firewall (NGFW).
To strengthen security, configure a decryption profile that blocks sessions using insecure protocol versions and cipher suites and apply it to the decryption policy rules that control SSL Inbound Inspection. The NGFW enforces the actions defined in the decryption profile and additional profiles you apply to decryption policy rules. These may include Antivirus, Vulnerability Protection, Anti-Spyware, URL Filtering, and File Blocking profiles.
As a best practice, forward decrypted SSL traffic to the Advanced WildFire cloud for analysis and signature generation.
When you configure SSL Inbound Inspection, the proxied traffic does not support DSCP code points or QoS.
SSL Inbound Inspection does not support Authentication Portal redirect. To use Authentication Portal redirect and decryption, configure SSL Forward Proxy.

Configure SSL Inbound Inspection (Strata Cloud Manager)

  1. Verify that the appropriate interfaces are configured as either virtual wire, Layer 2, or Layer 3 interfaces.
    You can't use a tap mode interface for SSL Inbound Inspection.
    To view the configured interfaces, select Manage Configuration NGFW and Prisma AccessDevice SettingsInterfaces. You can select an interface to modify its configuration, including the interface type.
  2. Verify installation of the certificate for the destination server.
    To view installed certificates, log in to Strata Cloud Manager and select DeviceCertificate ManagementCertificatesDevice Certificates.
    The TLS versions that your web server supports determine how you should install the server certificate and key. We recommend uploading a certificate chain (a single file) if your end-entity (leaf) certificate is signed by one or more intermediate certificates and your web server supports TLSv1.2 and either RSA or PFS key exchange algorithms. Uploading the chain avoids client-side server certificate authentication issues.
    Arrange the certificates in the file as follows:
    1. End-entity (leaf) certificate
    2. Intermediate certificates (in issuing order)
    3. (Optional) Root certificate
    You can upload the server certificate and private key alone to Strata Cloud Manager when the leaf certificate is signed by intermediate certificates, if your web server supports TLSv1.3 connections and the certificate chain has been installed on the server. SSL Inbound Inspection discusses each case in detail.
    To import the server certificate onto Strata Cloud Manager:
    1. Select Manage ConfigurationNGFW and Prisma AccessObjectsCertificate Management, and then Import a Custom Certificate.
    2. Enter a descriptive Certificate Name.
    3. Browse for and select the Certificate File.
    4. Save the certificate.
  3. Create a decryption policy rule to define the traffic that the NGFW decrypts.
    1. Select Manage ConfigurationNGFW and Prisma AccessSecurity ServicesDecryption, and then Add Rule or select an existing rule.
    2. Under the Action and Advanced Inspection section, configure the following settings:
      • For Action, select Decrypt.
      • For Type, select SSL Inbound Inspection.
      • Add up to 12 Certificates for the internal server you want to protect.
        Support for multiple certificates enables you to update server certificates without creating downtime and to create a policy rule for an internal server that hosts various domains, where each domain has its own certificate.
        To update the certificate for a protected internal server without incurring downtime, follow these steps:
        1. Renew or obtain a new server certificate before the current one expires or otherwise becomes invalid.
        2. Import the new certificate and private key onto your NGFW.
        3. Add the new certificate to your SSL Inbound Inspection policy rule.
          This must be done while a different certificate is active on the web server, so that a valid certificate in the policy rule always matches the certificate presented by the server.
        4. Install the new certificate on your web server, and then verify that it was properly installed.
        Installation of the new certificate doesn't impact existing connections. The NGFW verifies that the certificate in the Server Hello message matches the certificate in your decryption policy rule. If there isn't a match, the session ends, and the corresponding decryption log entry reports the session-end reason as a certificate mismatch between the firewall and server. To view the server certificates used in all inbound inspection sessions, select the Log Successful TLS handshakes and Log Unsuccessful TLS handshakes options under the Log Settings section of a decryption policy rule.
      • (Best Practice) Select or create a that blocks insecure protocol versions and cipher suites.
        To create a best practice decryption profile for SSL Inbound Inspection, configure the options described in SSL Inbound Inspection Decryption Profile.
        Create separate profiles for servers with different security capabilities. For example, if a group of servers supports only RSA, in the SSL Protocol Settings of the decryption profile, select only RSA for the key exchange algorithm. Likewise, for servers that support only PFS, set the SSL Protocol Settings to only support PFS.
        Configure the SSL Protocol Settings for the highest level of security that the server supports, but check performance to ensure that the NGFW can handle the higher processing load that higher security protocols and algorithms require.
    3. Save your changes.
  4. Commit your changes.
  5. (PAN-OS 11.2 & later, HSM deployments only) Activate TLSv1.3 support for SSL Inbound Inspection with an HSM.
    Use the set ssl inbound-inspection tls1.3-with-hsm enable yes CLI command.
  6. Choose your next step:

Configure SSL Inbound Inspection (PAN-OS & Panorama)

  1. Verify that the appropriate interfaces are configured as either virtual wire, Layer 2, or Layer 3 interfaces.
    You can't use a tap mode interface for SSL Inbound Inspection.
    To view the configured interfaces, select NetworkInterfacesEthernet. You can select an interface to modify its configuration, including the interface type.
  2. Verify installation of the certificate for the destination server.
    To view installed certificates, log in to the NGFW, Prisma Access, or a management interface, select DeviceCertificate ManagementCertificatesDevice Certificates.
    The TLS versions that your web server supports determine how you should install the server certificate and key. We recommend uploading a certificate chain (a single file) if your end-entity (leaf) certificate is signed by one or more intermediate certificates and your web server supports TLSv1.2 and either RSA or PFS key exchange algorithms. Uploading the chain avoids client-side server certificate authentication issues.
    Arrange the certificates in the file as follows:
    1. End-entity (leaf) certificate
    2. Intermediate certificates (in issuing order)
    3. (Optional) Root certificate
    You can upload the server certificate and private key alone when the leaf certificate is signed by intermediate certificates, if your web server supports TLSv1.3 connections and the certificate chain has been installed on the server. SSL Inbound Inspection discusses each case in detail.
    To import the targeted server certificate onto the NGFW:
    1. Select DeviceCertificate ManagementDevice Certificates, and then Import a certificate.
    2. Enter a descriptive Certificate Name.
    3. Browse for and select the Certificate File.
    4. Click OK to save your changes.
  3. Create a decryption policy rule to define the traffic that the firewall decrypts.
    1. Select PoliciesDecryption, and then Add a new rule or modify an existing rule.
    2. Select Options and configure the following:
      • For Action, select Decrypt.
      • For Type, select SSL Inbound Inspection.
      • Add up to 12 Certificates for the internal server you want to protect.
        Support for multiple certificates enables you to update server certificates without creating downtime and to create a policy rule for an internal server that hosts various domains, where each domain has its own certificate.
        To update the certificate for a protected internal server without incurring downtime, follow these steps:
        1. Renew or obtain a new server certificate before the current one expires or otherwise becomes invalid.
        2. Import the new certificate and private key onto your NGFW.
        3. Add the new certificate to your SSL Inbound Inspection decryption policy rule.
          This must be done while a different certificate is active on the web server, so that a valid certificate in the policy rule always matches the certificate presented by the server.
        4. Install the new certificate on your web server, and then verify that it was properly installed.
        Installation of the new certificate doesn't impact existing connections. The NGFW verifies that the certificate in the Server Hello message matches the certificate in your decryption policy rule. If there isn't a match, the session ends, and the corresponding decryption log entry reports the session-end reason as a certificate mismatch between the firewall and server. To view the server certificates used in all inbound inspection sessions, select Log Successful SSL Handshake under Log Settings (PoliciesDecryptionOptions).
        (Panorama ) Support for multiple certificates in SSL Inbound Inspection policy rules isn't available on PAN-OS versions earlier than PAN-OS 10.2. If you push an SSL Inbound Inspection policy rule with multiple certificates from a Panorama management server running PAN-OS 11.1 to an NGFW running older software, the policy rule on the managed NGFW inherits only the first certificate from the alphabetically sorted list of certificates.
        Before pushing your decryption policy rule from Panorama, we recommend setting up different templates or device groups for NGFWs running PAN-OS 10.1 and earlier to ensure you push the correct policy rule and certificate to the appropriate NGFWs.
      • (Best Practice) Select or create a that blocks insecure protocol versions and cipher suites.
        To create a best practice decryption profile for SSL Inbound Inspection, configure the options described in SSL Inbound Inspection Decryption Profile.
        Create separate profiles for servers with different security capabilities. For example, if a group of servers supports only RSA, in the SSL Protocol Settings of the decryption profile, select only RSA for the key exchange algorithm. Likewise, for servers that support only PFS, set the SSL Protocol Settings to only support PFS.
        Configure the SSL Protocol Settings for the highest level of security that the server supports, but check performance to ensure that the NGFW can handle the higher processing load that higher security protocols and algorithms require.
    3. Click OK to save your changes.
  4. Commit your changes.
  5. (PAN-OS 11.2, HSM deployments only) Activate TLSv1.3 support for HSM integration with SSL Inbound Inspection.
    Use the set ssl inbound-inspection tls1.3-with-hsm enable yes CLI command.
  6. Choose your next step: