Understanding SSL/TLS Decryption with Palo Alto Firewalls: Forward Trust and Forward Untrust Certificates

In network security, inspecting encrypted traffic is vital for detecting threats and ensuring data integrity. Palo Alto Networks firewalls employ SSL Forward Proxy decryption, utilizing Forward Trust and Forward Untrust certificates to facilitate inspecting SSL/TLS traffic. In this post, we delve into the intricacies of these certificates and their respective roles in establishing a secure network environment.

Establishing Trust in SSL/TLS Connections

SSL/TLS connections rely on X.509 certificates to establish trust between clients and servers. These certificates contain identifying information such as the Fully Qualified Domain Name (FQDN) or IP address and must be issued by a Certificate Authority (CA). When a client wishes to authenticate a server, it expects a certificate that has been signed by a trusted CA. Trust is established if the client has the CA’s certificate in its trust store, allowing it to verify the server’s certificate.

SSL Forward Proxy Decryption

Palo Alto firewalls employ SSL Forward Proxy decryption to inspect encrypted traffic. The firewall effectively acts as an intermediary between the client and the destination server during this process. The firewall terminates the SSL/TLS session from the client, decrypts and inspects the content, and then initiates a new SSL/TLS session with the server.

To accomplish this without raising security warnings, the firewall dynamically uses Forward Trust or Forward Untrust certificates to generate new certificates for accessed websites.

Forward Trust Certificate

Purpose

The Forward Trust certificate is used when a client is accessing a site whose certificate is signed by a CA that the firewall trusts. The firewall will present the Forward Trust certificate to the client during decryption.

Step-by-step Process

1. The client initiates an SSL/TLS session to a website.

2. The Palo Alto firewall intercepts the SSL/TLS session and checks the certificate of the destination website. If the certificate is from a trusted CA, the firewall uses the Forward Trust certificate.

3. The firewall generates a copy of the server certificate, signed by the Forward Trust certificate, and presents it to the client.

4. The firewall establishes a separate SSL/TLS session with the destination server, decrypts and inspects the traffic, then re-encrypts it before forwarding it to the server.

Additional Considerations

  • The firewall decides the key size for the client certificate based on the key size of the destination server, although this can be configured manually.
  • The private key associated with the Forward Trust certificate should be backed up and stored securely. For enhanced security, consider storing it on a hardware security module (HSM).

Forward Untrust Certificate

Purpose

The Forward Untrust certificate is used when the firewall encounters a site with a certificate signed by a CA that the firewall does not trust. In this scenario, the firewall presents the Forward Untrust certificate to the client.

Step-by-step Process

1. The client initiates an SSL/TLS session to a website with a certificate signed by an untrusted CA.

2. The Palo Alto firewall intercepts the SSL/TLS session and uses the Forward Untrust certificate.

3. The firewall generates a copy of the server certificate, signed by the Forward Untrust certificate, and presents it to the client. This usually prompts the client with a certificate warning.

4. The firewall establishes a separate SSL/TLS session with the destination server, decrypts and inspects the traffic, then re-encrypts it before forwarding it to the server.

Summing Up

By utilizing Forward Trust and Forward Untrust certificates, Palo Alto firewalls enable SSL Forward Proxy decryption, facilitating the inspection of encrypted traffic. This practice is essential for detecting and mitigating security threats but should be conducted responsibly, keeping privacy considerations and legal constraints in mind.