Configure SSL Inbound Inspection
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure SSL Inbound Inspection
SSL Inbound Inspection decryption enables the firewall
to see potential threats in inbound encrypted traffic destined for
your servers and apply security protections against those threats.
Use SSL Inbound Inspection to
decrypt and inspect inbound SSL traffic destined for a network server
(you can perform SSL Inbound Inspection for any server if you load
the server certificate onto the firewall). With an SSL Inbound Inspection
Decryption policy enabled, the firewall decrypts all SSL traffic
identified by the policy to clear text traffic and inspects it.
The firewall blocks, restricts, or allows the traffic based on the
Decryption profile attached to the policy and the Security policy
that applies to the traffic, including and any configured Antivirus,
Vulnerability Protection, Anti-Spyware, URL Filtering, and File
Blocking profiles. As a best practice, enable the firewall to forward decrypted SSL traffic
for WildFire analysis and signature generation.
Configuring
SSL Inbound Inspection includes:
- Installing the targeted server certificate on the firewall.
- Creating an SSL Inbound Inspection Decryption policy rule.
- Applying a Decryption profile to the policy rule.
When
you configure SSL Inbound Inspection, the proxied traffic does not
support DSCP code points or QoS.
SSL Inbound Inspection
does not support Authentication Portal redirect.
To use Authentication Portal redirect and decryption, you must use SSL Forward Proxy.
- Ensure that the appropriate interfaces are configured as either Virtual Wire, Layer 2, or Layer 3 interfaces.You cannot use a Tap mode interface for SSL Inbound Inspection.View configured interfaces on the NetworkInterfacesEthernet tab. The Interface Type column displays if an interface is configured to be a Virtual Wire, Layer 2, or Layer 3 interface. You can select an interface to modify its configuration, including the interface type.Ensure that the targeted server certificate is installed on the firewall.On the web interface, select DeviceCertificate ManagementCertificatesDevice Certificates to view certificates installed on the firewall.The TLS versions that your web server supports determine how you should install the server certificate and key on the firewall.We recommend uploading a certificate chain (a single file) to the firewall if your end-entity (leaf) certificate is signed by one or more intermediate certificates and your web server supports TLS 1.2 and Rivest, Shamir, Adleman (RSA) or Perfect Forward Secrecy (PFS) key exchange algorithms. Uploading the chain avoids client-side server certificate authentication issues. You should arrange the certificates in the file as follows:
- End-entity (leaf) certificate
- Intermediate certificates (in issuing order)
- (Optional) Root certificate
You can upload the server certificate and private key alone to the firewall when the leaf certificate is signed by intermediate certificates if your web server supports TLS 1.3 connections and the certificate chain is installed on the server. SSL Inbound Inspection discusses each case in more detail.To import the targeted server certificate onto the firewall:- On the Device Certificates tab, select Import.Enter a descriptive Certificate Name.Browse for and select the targeted server Certificate File.Click OK.Create a Decryption policy rule to define traffic for the firewall to decrypt and create a Decryption profile to apply SSL controls to the traffic.Although Decryption profiles are optional, it is best to include a Decryption profile with each Decryption policy rule to prevent weak, vulnerable protocols and algorithms from allowing questionable traffic on your network.
- Select PoliciesDecryption, Add or modify an existing rule, and define traffic to be decrypted.Select Options and:
- Set the Action to Decrypt matching traffic.
- Set the Type to SSL Inbound Inspection.
- Add the Certificates for the internal server that is the destination of the inbound SSL traffic. SSL Inbound Inspection policy rules support a maximum of 12 certificates.You can configure a Decryption policy rule to decrypt SSL/TLS traffic bound for an internal server that hosts multiple domains, each domain with its own certificate. The firewall negotiates SSL/TLS connections using the certificate in your policy rule that matches the one the server presents for the requested URL.To update certificates for protected internal servers without incurring downtime, renew or obtain a new server certificate before it expires or otherwise becomes invalid. Then, import the certificate and private key onto your firewall and add it to an SSL Inbound Inspection policy rule before installing the new certificate onto your web server. Updating your policy rule with a new certificate while another is active on your web server prepares the firewall to decrypt traffic to the server regardless of the certificate in use.When you are ready to deploy the new certificate, load it onto your web server and check that you correctly installed it. Installation of the new certificate does not impact existing connections. The firewall verifies that the certificate in the Server Hello message matches the new certificate in your Decryption policy rule. If there isn't a match, the session ends. The corresponding Decryption log entry reports the session-end reason as a mismatch between the firewall and server certificate. Log successful handshakes to view the server certificates used in all inbound inspection sessions.(Panorama ™) Support for multiple certificates in SSL Inbound Inspection policy rules is unavailable in PAN-OS® versions earlier than PAN-OS 10.2. If you push a SSL Inbound Inspection policy rule with multiple certificates from a Panorama management server running PAN-OS 10.2 to a firewall running an earlier version, the policy rule on the managed firewall inherits only the first certificate from the alphabetically-sorted list of certificates.Before pushing your Decryption policy rule from Panorama, we recommend you set up different templates or device groups for firewalls running PAN-OS 10.1 and earlier to ensure you push the correct policy rule and certificate to the appropriate firewalls.
- (Optional but a best practice) Configure or select an existing Decryption Profile to block and control various aspects of the decrypted traffic (for example, create a Decryption profile to terminate sessions with unsupported algorithms and unsupported cipher suites).When you configure the SSL Protocol Settings Decryption Profile for SSL Inbound Inspection traffic, create separate profiles for servers with different security capabilities. For example, if one set of servers supports only RSA, the SSL Protocol Settings only need to support RSA. However, the SSL Protocol Settings for servers that support PFS should support PFS. Configure SSL Protocol Settings for the highest level of security that the server supports, but check performance to ensure that the firewall resources can handle the higher processing load that higher security protocols and algorithms require.
Click OK to save.Enable the firewall to forward decrypted SSL traffic for WildFire analysis.This option requires an active WildFire license and is a WildFire best practice.Commit the configuration.Choose your next step...- Enable Users to Opt Out of SSL Decryption.
- Configure Decryption exclusions to disable decryption for certain types of traffic.