Setting Up SSL Forward Proxy Decryption with Palo Alto Firewalls

If you’re looking to improve your network security by inspecting encrypted traffic using Palo Alto firewalls, you’re in the right place! In this blog post, we’ll walk through the steps to set up SSL Forward Proxy decryption using certificates.

Why Certificates Matter

For SSL Forward Proxy decryption to work, Palo Alto firewall acts as a trusted proxy between clients and servers. To establish this trust, you’ll need Forward Trust and Forward Untrust certificates.

The Two Types of Forward Trust Certificates

Enterprise CA-signed Certificates

It’s best to use certificates signed by an enterprise Certificate Authority (CA). Why? Because usually, your network devices already trust this CA. Here’s how you set it up:

1. Generate a Certificate Signing Request (CSR): Go to `Device > Certificate Management > Certificates` and click ‘Generate’. Fill in the details and select ‘External Authority (CSR)’ in the ‘Signed By’ drop-down. Click ‘Generate’.

2. Export the CSR: Select the pending certificate and click ‘Export’. Save the certificate file. Ensure the private key remains on the firewall for security.

3. Get it Signed by Enterprise CA: Send the CSR file to your Enterprise CA. Once you receive the signed certificate, save it.

4. Import the Certificate Back: Go to `Device > Certificate Management > Certificates`, click ‘Import’. Enter the Certificate Name exactly and select the signed Certificate File. Click ‘OK’.

5. Enable as Forward Trust Certificate: Select the validated certificate and enable it as a Forward Trust Certificate.

Self-signed Certificates

Alternatively, the firewall can generate self-signed certificates. This method is ideal for small networks or proof-of-concept trials. Here’s how:

1. Create a Self-signed Root CA Certificate: Follow similar steps as above, but select the firewall itself as the signing authority.

2. Distribute to Client Systems: Export the Root CA certificate and import it into the client systems’ trusted root store. This makes sure clients trust certificates signed by the firewall.


Forward Untrust Certificates

This certificate is crucial. It’s presented to clients when they attempt to access sites with untrusted certificates, triggering a warning.

1. Generate the Certificate: Go to the certificates page and click ‘Generate’. Enter the details.

2. Enable as Forward Untrust Certificate: Modify the certificate and enable the Forward Untrust Certificate option.

Important: Do not export the Forward Untrust certificate to the Trust Lists of your network devices or install it on client systems.


Wrapping Up the Configuration

Now you’ve got the certificates in place, it’s time to define the decryption policy and profile.

1. Create a Decryption Policy Rule: Go to `Policies > Decryption`, and define the traffic you want the firewall to decrypt.

2. Create a Decryption Profile: This step is optional but highly recommended. It helps you prevent weak protocols and algorithms from compromising your network. Attach the profile to your Decryption policy rule.

3. Forward Traffic for Analysis: You can configure the firewall to forward decrypted SSL traffic for WildFire analysis. This requires an active WildFire license.

4. Commit the Configuration: Save your settings by committing the configuration.

And voila! You’ve successfully set up SSL Forward Proxy decryption on your Palo Alto firewall.

Note: When you configure SSL Forward Proxy, the proxied traffic does not support DSCP code points or Quality of Service (QoS). Also, make sure that the appropriate interfaces are configured as virtual wire, Layer 2, or Layer 3 interfaces.


Next Steps

Consider configuring options for users to opt out of SSL decryption or configuring decryption exclusions for certain types of traffic.

That’s it! You’re now geared up to inspect encrypted traffic effectively and make your network more secure.