Decryption Settings: Forward Proxy Server Certificate Settings

In the Session tab, Decryption Settings section, select Forward Proxy Server Certificate Settings to configure the Key Size and hashing algorithm of the certificates that the firewall presents to clients when establishing sessions for SSL/TLS Forward Proxy decryption. The following table describes the parameters.
Session Features: Forward Proxy Server Certificate Settings
Defined by destination host
Select this option if you want PAN-OS to generate certificates based on the key that the destination server uses:
  • If the destination server uses an RSA 1024-bit key, PAN-OS generates a certificate with that key size and an SHA-1 hashing algorithm.
  • If the destination server uses a key size larger than 1024 bits (for example, 2048 bits or 4096 bits), PAN-OS generates a certificate that uses a 2048-bit key and SHA-256 algorithm.
This is the default setting.
1024-bit RSA
Select this option if you want PAN-OS to generate certificates that use an RSA 1024-bit key and SHA-1 hashing algorithm regardless of the key size that the destination server uses. As of December 31, 2013, public certificate authorities (CAs) and popular browsers have limited support for X.509 certificates that use keys of fewer than 2048 bits. In the future, depending on its security settings, when presented with such keys the browser might warn the user or block the SSL/TLS session entirely.
2048-bit RSA
Select this option if you want PAN-OS to generate certificates that use an RSA 2048-bit key and SHA-256 hashing algorithm regardless of the key size that the destination server uses. Public CAs and popular browsers support 2048-bit keys, which provide better security than the 1024-bit keys.

Related Documentation