Configure SSL Forward Proxy
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 10.1
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- Management Interfaces
-
- Launch the Web Interface
- Configure Banners, Message of the Day, and Logos
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Pre-Logon for SAML Authentication
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Audit Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
-
- Prepare to Deploy App-ID Cloud Engine
- Enable or Disable the App-ID Cloud Engine
- App-ID Cloud Engine Processing and Usage
- New App Viewer (Policy Optimizer)
- Add Apps to an Application Filter with Policy Optimizer
- Add Apps to an Application Group with Policy Optimizer
- Add Apps Directly to a Rule with Policy Optimizer
- Replace an RMA Firewall (ACE)
- Impact of License Expiration or Disabling ACE
- Commit Failure Due to Cloud Content Rollback
- Troubleshoot App-ID Cloud Engine
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- TLSv1.3 Decryption
- High Availability Not Supported for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
- Activate Free Licenses for Decryption Features
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 10.1
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
-
Cloud Management and AIOps for NGFW
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure SSL Forward Proxy
SSL Forward Proxy decryption enables the firewall to
see potential threats in outbound encrypted traffic and apply security
protections against those threats.
To enable the firewall to perform SSL
Forward Proxy decryption, you must set up the certificates required
to establish the firewall as a trusted third party (proxy) to the
session between the client and the server. The firewall can use
certificates signed by an enterprise certificate authority (CA)
or self-signed certificates generated on the firewall as Forward
Trust certificates to authenticate the SSL session with the
client.
- (Best Practice) Enterprise CA-signed Certificates—An enterprise CA can issue a signing certificate that the firewall can use to sign the certificates for sites which require SSL decryption. When the firewall trusts the CA that signed the certificate of the destination server, the firewall can send a copy of the destination server certificate to the client, signed by the enterprise CA. This is a best practice because usually all network devices already trust the Enterprise CA (it is usually already installed in the devices’ CA Trust storage), so you don’t need to deploy the certificate on the endpoints, so the rollout process is smoother.
- Self-signed Certificates—The firewall can act as a CA and generate self-signed certificates that the firewall can use to sign the certificates for sites which require SSL decryption. The firewall can sign a copy of the server certificate to present to the client and establish the SSL session. This method requires that you need to install the self-signed certificates on all of your network devices so that those devices recognize the firewall’s self-signed certificates. Because the certificates must be deployed to all devices, this method is better for small deployments and proof-of-concept (POC) trials than for large deployments.
Additionally,
set up a Forward Untrust certificate for the firewall
to present to clients when the server certificate is signed by a
CA that the firewall does not trust. This ensures that clients are
prompted with a certificate warning when attempting to access sites
with untrusted certificates.
Regardless
of whether you generate Forward Trust certificates from your Enterprise
Root CA or use a self-signed certificate generated on the firewall,
generate a separate subordinate Forward Trust CA certificate for
each firewall. The flexibility of using separate subordinate CAs
enables you to revoke one
certificate when you decommission a device (or device pair) without
affecting the rest of the deployment and reduces the impact in any
situation in which you need to revoke a certificate. Separate Forward
Trust CAs on each firewall also helps troubleshoot issues because
the CA error message the user sees includes information about the
firewall the traffic is traversing. If you use the same Forward
Trust CA on every firewall, you lose the granularity of that information.
After
setting up the Forward Trust and Forward Untrust certificates required
for SSL Forward Proxy decryption, create a Decryption policy rule
to define the traffic you want the firewall to decrypt and create
a Decryption profile to apply SSL controls and checks to the traffic.
The Decryption policy decrypts SSL tunneled traffic that matches
the rule into clear text traffic. The firewall blocks and restricts
traffic based on the Decryption profile attached to the Decryption
policy and on the firewall Security policy. The firewall re-encrypts
traffic as it exits the firewall.
When you configure
SSL Forward Proxy, the proxied traffic does not support DSCP code
points or QoS.
- Ensure that the appropriate interfaces are configured as either virtual wire, Layer 2, or Layer 3 interfaces.View configured interfaces on the NetworkInterfacesEthernet tab. The Interface Type column displays if an interface is configured to be a Virtual Wire or Layer 2, or Layer 3 interface. You can select an interface to modify its configuration, including what type of interface it is.
- Configure the Forward Trust certificate for the firewall to present to clients when a trusted CA has signed the server certificate. You can use an enterprise CA-signed certificate or a self-signed certificate as the forward trust certificate.(Recommended Best Practice) Use an enterprise CA-signed certificate as the Forward Trust certificate. Create a uniquely named Forward Trust certificate on each firewall:
- Generate
a Certificate Signing Request (CSR) for the enterprise CA to sign
and validate:
- Select DeviceCertificate ManagementCertificates and click Generate.
- Enter a Certificate Name. Use a unique name for each firewall.
- In the Signed By drop-down, select External Authority (CSR).
- (Optional) If your enterprise CA requires it, add Certificate Attributes to further identify the firewall details, such as Country or Department.
- Click Generate to save the CSR. The pending certificate is now displayed on the Device Certificates tab.
- Export the CSR:
- Select the pending certificate displayed on the Device Certificates tab.
- Click Export to download and save the certificate file.Leave Export private key unselected in order to ensure that the private key remains securely on the firewall.
- Click OK.
- Provide the certificate file to your enterprise CA. When you receive the enterprise CA-signed certificate from your enterprise CA, save the enterprise CA-signed certificate to import onto the firewall.
- Import the enterprise CA-signed certificate onto the firewall:
- Select DeviceCertificate ManagementCertificates and click Import.
- Enter the pending Certificate Name exactly. The Certificate Name that you enter must exactly match the pending certificate name in order for the pending certificate to be validated.
- Select the signed Certificate File that you received from your enterprise CA.
- Click OK. The certificate is displayed as valid with the Key and CA check boxes selected.
- Select the validated certificate to enable it as a Forward Trust Certificate to be used for SSL Forward Proxy decryption.
- Click OK to save the enterprise CA-signed forward trust certificate.
Use a self-signed certificate as the Forward Trust certificate:- Create a self-signed Root CA certificate.
- Click the self-signed root CA certificate (DeviceCertificate ManagementCertificatesDevice Certificates) to open Certificate information and then click the Trusted Root CA checkbox.
- Click OK.
- Generate new subordinate CA certificates for each firewall:
- Select DeviceCertificate ManagementCertificates.
- Click Generate at the bottom of the window.
- Enter a Certificate Name.
- Enter a Common Name, such as 192.168.2.1. This should be the IP or FQDN that will appear in the certificate. In this case, we are using the IP of the trust interface. Avoid using spaces in this field.
- In the Signed By field, select the self-signed Root CA certificate that you created.
- Click the Certificate Authority check box to enable the firewall to issue the certificate. Selecting this check box creates a certificate authority (CA) on the firewall that is imported to the client browsers, so clients trust the firewall as a CA.
- Generate the certificate.
- Click the new certificate to modify it and click the Forward Trust Certificate checkbox to configure the certificate as the Forward Trust Certificate.
- Click OK to save the self-signed forward trust certificate.
- Repeat this procedure to generate a unique subordinate CA certificate on each firewall.
- Generate
a Certificate Signing Request (CSR) for the enterprise CA to sign
and validate:
- Distribute the forward trust certificate to client system certificate stores.If you are using an enterprise-CA signed certificate as the forward trust certificate for SSL Forward Proxy decryption, and the client systems already have the enterprise CA installed in the local trusted root CA list, you can skip this step. (The client systems trust the subordinate CA certificates you generate on the firewall because the Enterprise Trusted Root CA has signed them.)If you do not install the forward trust certificate on client systems, users see certificate warnings for each SSL site they visit.On a firewall configured as a GlobalProtect portal:This option is supported with Windows and Mac client OS versions, and requires GlobalProtect agent 3.0.0 or later to be installed on the client systems.
- Select NetworkGlobalProtectPortals and then select an existing portal configuration or Add a new one.
- Select Agent and then select an existing agent configuration or Add a new one.
- Add the self-signed firewall Trusted Root CA certificate to the Trusted Root CA section. After GlobalProtect distributes the firewall’s Trusted Root CA certificate to client systems, the client systems trust the firewall’s subordinate CA certificates because the clients trust the firewall’s Root CA certificate.
- Install in Local Root Certificate Store so that the GlobalProtect portal automatically distributes the certificate and installs it in the certificate store on GlobalProtect client systems.
- Click OK twice.
Without GlobalProtect:Export the firewall Trusted Root CA certificate so that you can import it into client systems. Highlight the certificate and click Export at the bottom of the window. Choose PEM format.Do not select the Export private key checkbox! The private key should remain on the firewall and should not be exported to client systems.Import the firewall’s Trusted Root CA certificate into the browser Trusted Root CA list on the client systems in order for the clients to trust it. When importing into the client browser, ensure that you add the certificate to the Trusted Root Certification Authorities certificate store. On Windows systems, the default import location is the Personal certificate store. You can also simplify this process by using a centralized deployment option, such as an Active Directory Group Policy Object (GPO). - Configure the Forward Untrust certificate (use the same Forward Untrust certificate for all firewalls).
- Click Generate at the bottom of the certificates page.
- Enter a Certificate Name, such as my-ssl-fwd-untrust.
- Set the Common Name, for example 192.168.2.1. Leave Signed By blank.
- Click the Certificate Authority check box to enable the firewall to issue the certificate.
- Click Generate to generate the certificate.
- Click OK to save.
- Click the new my-ssl-fwd-untrust certificate to modify it and enable the Forward Untrust Certificate option.Do not export the Forward Untrust certificate to the Certificate Trust Lists of your network devices! Do not install the Forward Untrust certificate on client systems. This is critical because installing the Untrust certificate in the Trust List results in devices trusting websites that the firewall does not trust. In addition, users won’t see certificate warnings for untrusted sites, so they won’t know the sites are untrusted and may access those sites, which could expose your network to threats.
- Click OK to save.
- (Optional) Configure the Key Size for SSL Forward Proxy Server Certificates that the firewall presents to clients. By default, the firewall determines the key size to use based on the key size of the destination server certificate.
- Create a Decryption Policy Rule to define traffic for the firewall to decrypt and Create a Decryption Profile to apply SSL controls to the traffic.Although Decryption profiles are optional, it is a best practice to include a Decryption profile with each Decryption policy rule to prevent weak, vulnerable protocols and algorithms from allowing questionable traffic on your network.
- Select PoliciesDecryption, Add or modify an existing rule, and define traffic to be decrypted.
- Select Options and:
- Set the rule Action to Decrypt matching traffic.
- Set the rule Type to SSL Forward Proxy.
- (Optional but a best practice) Configure or select an existing Decryption Profile to block and control various aspects of the decrypted traffic (for example, create a decryption profile to perform certificate checks and enforce strong cipher suites and protocol versions).
- Click OK to save.
- Enable the firewall to forward decrypted SSL traffic for WildFire analysis.This option requires an active WildFire license and is a WildFire best practice.
- Commit the configuration.
- Choose your next step:
- Enable Users to Opt Out of SSL Decryption.
- Configure Decryption Exclusions to disable decryption for certain types of traffic.