Behavior of PA Firewall doing SSL Inbound inspection for PFS Ciphers

Behavior of PA Firewall doing SSL Inbound inspection for PFS Ciphers

36544
Created On 12/12/18 06:56 AM - Last Modified 09/25/20 15:51 PM


Symptom


From 8.0, PA supports Inbound decryption for PFS Ciphers: SSL Inbound Inspection

As the above document explains, the PA Firewall has to act as proxy between the external client and the internal server. This article explains the working and some caveats.

Following is the traffic flow:
  1. After TCP-3-way-handshake, the client sends Client Hello
  2. At this point, firewall does not know whether Server will chose PFS Cipher, so the Client Hello is transmitted unaltered without any proxy function being invoked. This can be confirmed using Receive and Transmit captures on firewall.
  3. When Server Responds with Server Hello, Firewall will inspect it against the Decryption Profile -> SSL Protocol Settings for allowed Ciphers. 
  4. If the Selected Protocol Version/Cipher/Algorithms in Server Hello does NOT match the enabled Protocol Version/Ciphers/Algorithms in SSL protocol settings, then firewall should block or allow the session based on Options selected under SSL Inbound Inspection.
  5. If the Selected Protocol Version/Cipher/Algorithms in Server Hello matches the enabled Protocol Version/Ciphers/Algorithms in SSL protocol settings, based on the selected cipher behavior is as under:
    • RSA Cipher : The firewall will not need proxy mode and will just pass the server hello the client. In this case, firewall can use the keys from the Server Certificate to inspect the rest of the communication.
    • PFS Cipher i.e. DHE or ECDHE Cipher:  PA Firewall will invoke the proxy module and will perform the following:
      1. Construct a Server Hello using its own supported supported extensions and DH/ECDH Key paramaters. Check for supported key sizes, curves and extensions as else SSL connections may fail.
      2. If Session ID (used for Session resumption) is present in Server Hello, firewall will set the Session ID to 0. This is because firewall will not have the keys that were used in the resumed session.
      3. Firewall will send the Certificate as imported into the firewall and not as what is coming from the Server. So it is required to import the entire chain as one bundle : HOW TO INSTALL A CHAINED CERTIFICATE SIGNED BY A PUBLIC CA 
      4. Firewall will generate own Server Key Exchange and Client Key Exchange messages thereby completing the handshake
    • Post this the transaction will proceed as forward proxy        

Additional Information


NOTE: 
  1. In inbound inspection for PFS, we will not do OCSP/CRL lookups as in case of Forward Proxy.
  2. For DHE/ECDHE Keys we use minimum 256 byte or 2048 bit keys, so it clients do not support 2048 bit DH Keys, the client will reset the SSL Connection. Check for any plugins having limited support for SSL ciphers/keys/algorithms
  3. For PFS Ciphers, we currently do not support Client Certificates, so SSL Connection will fail.

For Troubleshooting any issues, do the following:
 
1. Enable Packet Captures with filters as "Client -> Server (Pre NAT IP if there is Destination NAT)" and "Server (Private IP) -> Client". Ports can be used additionally if required.
2. Additionally Pcaps on Client and Server if possible can help more.
3. Packet-diags can be taken with flow basic, proxy all, ssl all, tcp all flags.
4. Test with multiple Client Browsers or openssl client:

Windows:
openssl.exe s_client -debug -cipher <Cipher> -connect www.example.com:443 -tls[1|2] 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmPxCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language