1. Home
    2. PAN-OS
    3. PAN-OS® Administrator’s Guide
    4. Decryption
    5. Configure SSL Forward Proxy
    Previous
    Next
    To enable the firewall to perform SSL Forward Proxy decryption, you must set up the certificates required to establish the firewall as a trusted third party to the session between the client and the server. The firewall can use self-signed certificates or certificates signed by an enterprise certificate authority (CA) as forward trust certificates to authenticate the SSL session with the client.
    (Recommended) Enterprise CA-signed Certificates
    An enterprise CA can issue a signing certificate which the firewall can use to sign the certificates for sites requiring SSL decryption. When the firewall trusts the CA that signed the certificate of the destination server, the firewall can then send a copy of the destination server certificate to the client signed by the enterprise CA.
    Self-signed Certificates
    When a client connects to a server with a certificate that is signed by a CA that the firewall trusts, the firewall can sign a copy of the server certificate to present to the client and establish the SSL session. You can use self-signed certificates for SSL Forward Proxy decryption if your organization does not have an enterprise CA or if you intend to only perform decryption for a limited number of clients.
    Additionally, set up a forward untrust certificate for the firewall to present to clients when the server certificate is signed by a CA that the firewall does not trust. This ensures that clients are prompted with a certificate warning when attempting to access sites with untrusted certificates.
    After setting up the forward trust and forward untrust certificates required for SSL Forward Proxy decryption, add a decryption policy rule to define the traffic you want the firewall to decrypt. SSL tunneled traffic matched to the decryption policy rule is decrypted to clear text traffic. The clear text traffic is blocked and restricted based on the decryption profile attached to the policy and the firewall security policy. Traffic is re-encrypted as it exits the firewall.
    Configure SSL Forward Proxy
    Ensure that the appropriate interfaces are configured as either virtual wire, Layer 2, or Layer 3 interfaces. View configured interfaces on the Network > Interfaces > Ethernet tab. The Interface Type column displays if an interface is configured to be a Virtual Wire or Layer 2, or Layer 3 interface. You can select an interface to modify its configuration, including what type of interface it is.
    Configure the forward trust certificate for the firewall to present to clients when the server certificate is signed by a trusted CA: (Recommended) Use an enterprise CA-signed certificate as the forward trust certificate. Use a self-signed certificate as the forward trust certificate.
    (Recommended) Use an enterprise CA-signed certificate as the forward trust certificate. Generate a Certificate Signing Request (CSR) for the enterprise CA to sign and validate: Select Device > Certificate Management > Certificates and click Generate. Enter a Certificate Name, such as my-fwd-proxy. In the Signed By drop-down, select External Authority (CSR). (Optional) If your enterprise CA requires it, add Certificate Attributes to further identify the firewall details, such as Country or Department. Click OK to save the CSR. The pending certificate is now displayed on the Device Certificates tab. Export the CSR: Select the pending certificate displayed on the Device Certificates tab. Click Export to download and save the certificate file. Leave Export private key unselected in order to ensure that the private key remains securely on the firewall. Click OK. Provide the certificate file to your enterprise CA. When you receive the enterprise CA-signed certificate from your enterprise CA, save the enterprise CA-signed certificate for import onto the firewall. Import the enterprise CA-signed certificate onto the firewall: Select Device > Certificate Management > Certificates and click Import. Enter the pending Certificate Name exactly (in this case, my-fwd-trust). The Certificate Name that you enter must exactly match the pending certificate name in order for the pending certificate to be validated. Select the signed Certificate File that you received from your enterprise CA. Click OK. The certificate is displayed as valid with the Key and CA check boxes selected. Select the validated certificate, in this case, my-fwd-proxy, to enable it as a Forward Trust Certificate to be used for SSL Forward Proxy decryption. Click OK to save the enterprise CA-signed forward trust certificate.
    Use a self-signed certificate as the forward trust certificate. Generate a new certificate: Select Device > Certificate Management > Certificates. Click Generate at the bottom of the window. Enter a Certificate Name, such as my-fwd-trust. Enter a Common Name, such as 192.168.2.1. This should be the IP or FQDN that will appear in the certificate. In this case, we are using the IP of the trust interface. Avoid using spaces in this field. Leave the Signed By field blank. Click the Certificate Authority check box to enable the firewall to issue the certificate. Selecting this check box creates a certificate authority (CA) on the firewall that is imported to the client browsers, so clients trust the firewall as a CA. Generate the certificate. Click the new certificate my-fwd-trust to modify it and enable the certificate to be a Forward Trust Certificate. Click OK to save the self-signed forward trust certificate.
    Distribute the forward trust certificate to client system certificate stores. If you do not install the forward trust certificate on client systems, users will see certificate warnings for each SSL site they visit. If you are using an enterprise-CA signed certificate as the forward trust certificate for SSL Forward Proxy decryption, and the client systems already have the enterprise CA added to the local trusted root CA list, you can skip this step. On a firewall configured as a GlobalProtect portal: This option is supported with Windows and Mac client OS versions, and requires GlobalProtect agent 3.0.0 or later to be installed on the client systems. Select Network > GlobalProtect > Portals and then select an existing portal configuration or Add a new one. Select Agent and then select an existing agent configuration or Add a new one. Add the SSL Forward Proxy forward trust certificate to the Trusted Root CA section. Install in Local Root Certificate Store so that the GlobalProtect portal automatically distributes the certificate and installs it in the certificate store on GlobalProtect client systems. Click OK twice. Without GlobalProtect: Export the forward trust certificate for import into client systems by highlighting the certificate and clicking Export at the bottom of the window. Choose PEM format, and do not select the Export private key option. import it into the browser trusted root CA list on the client systems in order for the clients to trust it. When importing to the client browser, ensure the certificate is added to the Trusted Root Certification Authorities certificate store. On Windows systems, the default import location is the Personal certificate store. You can also simplify this process by using a centralized deployment, such as an Active Directory Group Policy Object (GPO).
    Configure the forward untrust certificate. Click Generate at the bottom of the certificates page. Enter a Certificate Name, such as my-fwd-untrust. Set the Common Name, for example 192.168.2.1. Leave Signed By blank. Click the Certificate Authority check box to enable the firewall to issue the certificate. Click Generate to generate the certificate. Click OK to save. Click the new my-ssl-fw-untrust certificate to modify it and enable the Forward Untrust Certificate option. Do not export the forward untrust certificate for import into client systems. If the forward untrust certificate is imported on client systems, the users will not see certificate warnings for SSL sites with untrusted certificates. Click OK to save.
    (Optional) Set the key size of the SSL Forward Proxy certificates that the firewall presents to clients. By default, the firewall determines the key size to use based on the key size of the destination server certificate. Configure the Key Size for SSL Forward Proxy Server Certificates.
    Create a Decryption Policy Rule to define traffic for the firewall to decrypt. Select Policies > Decryption, Add or modify an existing rule, and define traffic to be decrypted. Select Options and: Set the rule Action to Decrypt matching traffic. Set the rule Type to SSL Forward Proxy. (Optional) Select a Decryption Profile to block and control various aspects of the decrypted traffic (for example, Create a Decryption Profile to perform certificate checks and enforce strong cipher suites and protocol versions). Click OK to save.
    Enable the firewall to forward decrypted SSL traffic for WildFire analysis. This option requires an active WildFire license and is a WildFire best practice.
    Commit the configuration.
    Choose your next step... Enable Users to Opt Out of SSL Decryption. Configure Decryption Exceptions to disable decryption for certain types of traffic.
    Previous
    Next

    Related Documentation

    Transparent Certificate Distribution for SSL Forward Proxy

    Transparent Certificate Distribution for SSL Forward Proxy You can now easily and transparently install the trusted root certificate authority (CA) certificates that are required for ...

    Device > Certificate Management > Certificates

    Device > Certificate Management > Certificates Select Device > Certificate Management > Certificates > Device Certificates to manage (generate, import, renew, delete, and revoke) certificates, ...

    Keys and Certificates for Decryption Policies

    Keys and Certificates for Decryption Policies Keys are strings of numbers that are typically generated using a mathematical operation involving random numbers and large primes. ...

    Deploy Server Certificates to the GlobalProtect Components

    Deploy Server Certificates to the GlobalProtect Components The following workflow shows the best practice steps for deploying SSL/TLS certificates to the GlobalProtect components: Import a ...

    SSL Forward Proxy

    SSL Forward Proxy Use an SSL Forward Proxy decryption policy to decrypt and inspect SSL/TLS traffic from internal users to the web. SSL Forward Proxy ...

    Keys and Certificates

    Keys and Certificates To ensure trust between parties in a secure communication session, Palo Alto Networks firewalls and Panorama use digital certificates. Each certificate contains ...

    Certificate Deployment

    Certificate Deployment The basic approaches to deploy certificates for Palo Alto Networks firewalls or Panorama are: Obtain certificates from a trusted third-party CA —The benefit ...

    Import a Certificate and Private Key

    Import a Certificate and Private Key If your enterprise has its own public key infrastructure (PKI), you can import a certificate and private key into ...

    Store Private Keys on an HSM

    Store Private Keys on an HSM For added security, you can use an HSM to secure the private keys used in SSL/TLS decryption for: SSL ...

    Deploy Machine Certificates for Authentication

    Deploy Machine Certificates for Authentication To confirm that the endpoint belongs to your organization, use your own public-key infrastructure (PKI) to issue and distribute machine ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo