Configuring SSL/TLS decryption on the Palo Alto

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video we're gonna talk about how to configure SSL or TLS decryption on the Palo Alto firewall now SSL and TLS encryption is one of those or decryption is one of those things that they told you can't be done but it turns out that actually you can it's there by designed you just have to be the right person at the right place in order to do it properly let's go ahead and see an example of how this might work in the real world I'm gonna go ahead and open up Internet Explorer here and I'm just gonna go to facebook.com now when we go to facebook.com not only do we see that it is HTTPS but we also have this lock icon right here that gives us more information about what's going on when I click on the lock icon we can say view certificates and it gives us more information about the certificate that is used to encrypt this the stream here we can see that this is issued to facebook.com and it was issued by a company called digit now my computer over here has been configured to trust digit cert didja sir has said hey facebook.com is a legitimate site you can trust them since I trust did you sir and did you search says I could trust Facebook I go ahead and I automatically trust Facebook calm pretty much how it works now there's a whole lot more details as far as how how all this ties together but that's pretty much the crux of everything that needs to be in there so if we look at our network diagram there we go what was happening was we have our Facebook comment here and then up here is digit sir when my client went out to facebook.com is said hey I want to communicate with you facebook.com/ then sent back some communications using its certificate my server went up to do the shirt and said hey is this an invalid certificate once it was confirmed a yes it is a valid certificate the information in the certificate is then used to establish the encrypted communication now the Palo Alto can actually replace a lot of this so that when I talked through the Palo Alto and say I want to talk to Facebook it talks to Facebook on my behalf Facebook and then sends back its certificate and the Palo Alto goes up against digit cert to see if it is in fact a trusted certificate if it is then the Palo Alto can create a new certificate using it from the Palo Alto to me and then establish an ax cryptid communication internally while there's still an encrypted communication externally so previously there was only the one encrypted communication between my server and Palo Alto but now there's two one between my server and the Palo Alto and then other one between the Palo Alto and Facebook I think I misspoke previously one between my server and Facebook not Palo Alto if that doesn't make a whole lot of sense to you don't worry there's a whole lot there definitely research it but it's not that critical for this particular scenario it but in order to have unencrypted data on the Palo Alto I need three different things first off I need to set up and create a CA on the Palo Alto a certificate authorities to replace didja cert second step I need to do is I need to trust that CA so once I create the CA on the Palo Alto I need to somehow configure my server to trust the Palo Alto and then the third one is I need to configure a decryption policy once all that's done the Palo Alto will decrypt all my data for me while it's going between me and Facebook or me and any other site that I might want so let's go ahead and see how that works so I'm going to start off by creating the certificate authorities I'm only need one but the Palo Alto actually needs me to make two so won't go up there so to create the certificate authorities I'm gonna click on device and then on the left hand side if we scroll on down we could see a grouping here called certificate management and inside of that certificates down at the bottom I'm getting click generate now if you have a corporate CA already in your environment you can use that I'm I don't so I'm gonna have the Palo Alto hold it all for me for the certificate name I'll just call this some trusted CA and then the common name I will use the IP address of the internal interface of my firewall again the common name it needs to be either an IP address or the DNS name that the traffic is coming from that's another certificate authority see SSL issue research that if you're not familiar with it then once I specified this itself is it trust its or is a certificate authority so he can then create other certificates later down the road and say okay or generate and then I'm gonna do that again I'm gonna generate another one I'm gonna call this untrusted CA with a common name of on trust that doesn't actually exist to a to a DNS name and that's perfectly fine and click a certificate authority and generate all right so I've generated I've generated the certs I still need to configure a little bit more of them I'm gonna click on the I trusted CA and say this is the forward trust and okay and then I'm gonna click on the untrusted CA and say that this is the forward untrust certificate and okay so I've just created the CAS now they can go ahead and they can create additional certificates as necessary the second step is to trust this certificate authority specifically the trusted certificate authority I called it trusted I haven't yet trusted it so in order to trust that I need to export it off the Palo Alto so I'll go ahead and click the export button down here at the bottom I don't need the private key so I'll just go and say okay and yes I want to keep that and then to import it I'm gonna go ahead and open it open and click the install certificate where do I want to put it I want to put this on the local machine if there's more than one user that way it applies to all those users on the machine next and then where do I want to put it well I want to put this in the trusted certificate authorities I want to be able to specify and this is a trusted CA trust everything that it creates and ok and next and finish ok so we created the CAS I then imported and trusted the CA there are ways you could do that with group policy if you have an Active Directory domain or other scripting options lots of ways to do it in larger organizations now that I have trusted that certificate authority I now need to create a decryption policy in order to use it that's under policies and then on the left hand side we have decryption there's no existing policy so I'm going to go ahead and say add and this is very similar to the security or NAT policies I will give this a name let's say decrypt policy the source is going to be the internal zone the destination is going to be the external zone no services or URLs and then under options I want to decrypt it utilizing the forward proxy alright we say ok and then finally we commit so there were a lot of steps there and this is definitely not something that this video is gonna cover all the possible options that you might need in a business organization but hopefully it's enough to get you a test lab up and running that you can play with and config or adjust for your business needs alright so at this point I'm gonna open up Internet Explorer again and I'm gonna go back to facebook.com from the end users point of view everything looks exactly the same we still have HTTPS we still have the lock icon but this is where things start showing up a lot more interesting if I click on the lock icon and view certificate I can now see that the certificate was not signed by digit in fact it was signed by 192 168 1.1 it was signed by the Palo Alto so when the traffic came in to the Palo Alto it was decrypted on the Palo Alto it was then rien de signed by the Palo Alto and then forwarded it on to the ant user this way if somebody was sending malicious data such as viruses or malware or they were exfiltrating data such as social security numbers or credit card numbers we could then inspect the traffic even though it's encrypted we can inspect the traffic coming or going into the environment and manipulate or manage to traffic policies accordingly
Info
Channel: Ed Goad
Views: 5,079
Rating: undefined out of 5
Keywords:
Id: -nmTTxaXKnU
Channel Id: undefined
Length: 10min 40sec (640 seconds)
Published: Thu Jun 11 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.