SSL-Decryption-Certificates-TN-revC.pdf - SSL Decryption...

  • No School
  • AA 1
  • bg66ah
  • 7

This preview shows page 1 - 2 out of 7 pages.

SSL Decryption Certificates Tech Note 0B Overview The Palo Alto Networks security gateway is capable of decrypting outbound SSL connections for the purpose of providing visibility and control of the traf c, without compromising the security or privacy of the traf c. This action is off by default and can be enabled selectively by policy, including source, destination, and URL category. To accomplish this, the Palo Alto device proxies the SSL connection, terminating the connection from the client and re-establishing the SSL connection to the destination server. Traf c in the SSL connection is then identi ed by application for visibility and control, but re-encrypted to ensure continued privacy and security. This document is intended to provide an overview of how to manage SSL certi cates for the purpose of using the Palo Alto Networks security device for decrypting and inspecting outgoing SSL traf c, as well as loading the public certi cate into the users’ browser as a trusted root certi cate to avoid certi cate mis-match warning messages. 1B Local Certificate Authority In order to decrypt the SSL sessions, a CA certi cate is required. This certi cate is used to generate certi cates for each SSL destination. By default, a self-signed certi cate is used. Because this certi cate is not a “Trusted CA”, browsers and other applications will give the users a warning indicating that the identity of site they are accessing could not be veri ed. The browsers can be con gured to trust the CA certi cate by importing it into the browser. Alternatively, an already trusted CA cert that is used in the enterprise can be installed into the device for use in the SSL decryption process. The following sections will describe common ways to load certi cates into the Palo Alto Networks device, how to load trusted CA certi cates into a user’s browser manually, and how to use Microsoft’s Active Directory Group Policy Object tool to automatically load the CA certi cate into Windows for use by Internet Explorer.
Image of page 1
Image of page 2

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture