Difference Between SSL Forward-Proxy and Inbound Inspection Decryption Mode

Difference Between SSL Forward-Proxy and Inbound Inspection Decryption Mode

142746
Created On 09/25/18 19:10 PM - Last Modified 06/27/23 09:25 AM


Resolution


When configuring SSL decryption policy in order to define SSL traffic eligible for decryption, you have to make a choice between 2 different types/modes:

  • SSL Forward-Proxy
  • SSL Inbound Inspection

This article explains the difference between the two modes.

 

 

Forward-Proxy

2017-11-09_forward proxy.jpgSSL Forward Proxy showing an Internal user going to an External SSL site.

 

In Forward-Proxy mode, PAN-OS will intercept the SSL traffic which is matching the policy and will be acting as a proxy (MITM) generating a new certificate for the accessed URL. This new certificate will be presented during SSL Handshake to the Client accessing website with SSL. This certificate will be signed with the self-signed CA certificate or another certificate specified as:

Forward Trust Certificate
Note: If you want to use a certificate issued by third party, it needs to be a CA certificate and you will have to import public AND private key (Key Pair).

A separate certificate needs to be created to present to the Client when the Server Certificate signer is not trusted.
Forward Untrust Certificate

Note: If the same certificate was configured with both Forward Trust Certificate and Forward Untrust Certificate flags enabled, this would be a security risk, because Clients behind the firewall would always be presented with a Certificate they trust, even when the Server is presented with an invalid Certificate that should not be trusted.

 

  1. Internal user is trying to reach out www.google.com with https. Traffic is matching the decryption policy.
  2. This traffic is handled by our SSL proxy engine, and a certificate for www.google.com is generated by our internal PKI (signed by the CA certificate).
  3. PAN-OS is proxying the SSL traffic and setting up a new SSL connection with the Web Server.
  4. Web Server is starting handshake with PAN-OS device.
  5. PAN-OS device is completing its SSL handshake with client presenting generated certificate in Server Hello message.

 

Inbound Inspection

2017-11-09_inbound inspection.jpgInbound inspection showing when an external user comes into a webserver internally or in a DMZ.

In Inbound Inspection mode, PAN-OS will not act as a proxy with SSL traffic matching the policy. PAN-OS will try to decrypt this SSL traffic 'on-the-fly' by eavesdropping the SSL handshake and using associated Certificate (Key Pair) configured in decryption policy as below:
Screen Shot 2013-10-16 at 16.41.52.png

Note: This decryption mode can only work if you have control on the targeted Web Server certificate to be allow to import Key Pair on Palo Alto Networks Device. That's why this decryption mode is often use to decrypt SSL inbound traffic to Internal Web Server.

 

  1. External Client is trying to reach out an internal site www.domain.com with https. Traffic is matching the decryption policy.
  2. Our SSL Proxy Engine is starting to eavesdrop the SSL session with associated Key Pair.
  3. SSL request is sent to Web Server without being proxied.
  4. PAN-OS will inspect Server-Hello message during handshake to verify if both certificates (sent by the server and used in 2) are matching.
  5. If there is a match, decryption will be successful for the rest of the session; otherwise, decryption will be failing (dedicated global counters will be raised).

 

See also

SSL decryption resource list

The SSL decryption resource list has a long list of articles dealing with SSL decryption only. 

 

owner: nbilly



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV8CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language