What precautions should one take if Firewall traffic intended for CDSS communication passes through a MITM Proxy?
9413
Created On 11/29/22 17:52 PM - Last Modified 12/05/22 21:12 PM
Question
What precautions should one take if Firewall traffic intended for CDSS communication passes through a MITM Proxy?
Environment
- Palo Alto Firewall or Panorama
- Supported PAN-OS
- Cloud-Delivered Security Services (CDSS)
- Third Party Man in the Middle (MITM) proxy
Answer
The answer can be explained using the example below
PAN Device ------> Edge MITM Wed Proxy( external vendor ) --------> PAN security service cloud.
- A session between Firewall and CDSS can be modified if an environment has a MITM proxy (not a Palo Alto Networks device) on the upstream traffic.
- The MITM proxies can be configured to broker a secure session to the CDSS services on behalf of the client (PAN Firewall/Devices), which means it can add its certificate to the session for deep packet inspection.
- This also means a session started from the Firewall intended for the PAN cloud is interrupted, and the proxy has started communicating on behalf of the Firewall.
- Palo Alto Networks’ cloud services will accept connection from Firewall (or any other PAN device) if they can authenticate it. This authentication is by the certificate presented by the Firewall during the handshake SSL/TLS handshake
- When an external proxy starts a session on behalf of the Firewall, it uses its certificate, which is different than expected. As a result, the connection will be rejected.
- To avoid the above situation and for successful connection establishment from Firewall/any PAN Device to CDSS, Add a discreet Exception Rule in the Proxy configuration. Refer to the documentation of Proxy for the same as these proxies are external devices and not of Palo Alto. The rule should explicitly deny any encryption for each PAN device to CDSS flow so that the Proxy will not decrypt and re-encrypt that traffic.
- If the proxies are app aware, this kind of traffic can identify by apps or they can be identified by destination or other methods.
- Even if a proxy is not decrypting, it can re-direct the traffic based on in-build rules or DNS-redirection. Ensure the DNS-resolve doesn't modify the resolving address.
Additional Information
- Examples of Cloud-Delivered Security Services (CDSS) are Wildfire, DNS security, ATP, and more.
- A firewall or other PAN device may send a request for the verdict on an artifact (a hash, URL, or domain) to a CDSS and will wait for the response or it may need to communicate with any one of the CDSS services residing in the “cloud.”
- In environments where there is a Man-in-the-Middle (MITM) web proxy at the edge for outbound traffic between the PAN device and the Internet, it may disrupt the timing of the CDSS communication, which leads to anomalous behavior to the cloud service. This is an external vendor proxy such as Blue-coat, F5, Cisco umbrella, and more.