An engineer is configuring SSL Inbound Inspection for public access to a company’s application.
Which certificate(s) need to be installed on the firewall to ensure that inspection is performed successfully?
An engineer is configuring SSL Inbound Inspection for public access to a company’s application.
Which certificate(s) need to be installed on the firewall to ensure that inspection is performed successfully?
To perform SSL Inbound Inspection, the firewall must be able to decrypt and re-encrypt the traffic as it passes through. This requires having the end-entity certificate and its corresponding intermediate certificates (if any) installed on the firewall. The end-entity certificate is the one that is presented to the clients, and the intermediate CA certificates link the end-entity certificate to a trusted root CA. This allows the firewall to seamlessly act as an intermediary without causing client-side certificate errors. Therefore, you need to install the Intermediate CA(s) and the End-entity certificate on the firewall.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-inbound-inspection We recommend uploading a certificate chain (a single file) to the firewall if your end-entity (leaf) certificate is signed by one or more intermediate certificates and your web server supports TLS 1.2 and Rivest, Shamir, Adleman (RSA) or Perfect Forward Secrecy (PFS) key exchange algorithms. Uploading the chain avoids client-side server certificate authentication issues. You should arrange the certificates in the file as follows: End-entity (leaf) certificate Intermediate certificates (in issuing order) (Optional) Root certificate
I think it is A, but not entirely clear from the PAN docs: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-inbound-inspection Uploading the chain avoids client-side server certificate authentication issues. You should arrange the certificates in the file as follows: End-entity (leaf) certificate Intermediate certificates (in issuing order) (Optional) Root certificate
A. On the firewall, you must install the certificate and private key for each server for which you want to perform SSL Inbound Inspection. If your web server supports TLS 1.2 and PFS key exchange algorithms and your end-entity (leaf) certificate is signed by intermediate certificates, we recommend uploading a certificate chain (a single file) to the firewall. Uploading the chain avoids client-side server certificate authentication issues. We recommend uploading a certificate chain (a single file) to the firewall if your end-entity (leaf) certificate is signed by one or more intermediate certificates and your web server supports TLS 1.2 and PFS key exchange algorithms. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-concepts/ssl-inbound-inspection https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkoCAC
"On the firewall, you must install the certificate and private key for each server for which you want to perform SSL Inbound Inspection"
The key doesn't need to be exportable though, and typically external access to a webservice is secured with a publicly issued Certificate from a public CA
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-inbound-inspection#:~:text=Uploading%20the%20chain,in%20more%20detail.
B. Root CA and Intermediate CA(s). When performing SSL Inbound Inspection, the firewall acts as a trusted intermediary between the client and the server. To establish trust with the client, the firewall must present a certificate chain that includes the Root CA and any intermediate CA(s) that issued the server's certificate. The Root CA certificate is the highest-level certificate in the certificate chain and is responsible for signing the intermediate CA certificates. The intermediate CA certificates, in turn, issue the server's end-entity certificate.