The validity date on the PA-generated certificate is taken from the validity date on the real server certificate. In this case, the firewall proxies outbound SSL connections by intercepting outbound SSL requests and generating a certificate on the fly for the site that the user wants to visit. Outbound SSL Decryption (SSL Forward Proxy)
The firewall can then detect malicious content and control applications running over this secure channel. No changes are made to the packet data, and the secure channel is from the client system to the internal server. When the SSL server certificate is loaded on the firewall and an SSL decryption policy is configured for the inbound traffic, the device then decrypts and reads the traffic as it is forwarded. In the case of inbound traffic to an internal web server or device, the administrator imports a copy of the protected server’s certificate and private key. Decrypted traffic can also be sent off the device by using a Decryption Port mirror (see Configure Decryption Port Mirroring ).
Once traffic is decrypted, tunneled applications can be detected and controlled, and the decrypted data can be inspected for threats, URL filtering, file blocking, or data filtering. In particular, decryption can be based upon URL categories, source users, and source/destination IP addresses. SSL decryption can occur on interfaces in virtual wire, Layer 2, or Layer 3 mode by using the SSL rule base to configure which traffic to decrypt. PAN-OS can decrypt and inspect inbound and outbound SSL connections going through a Palo Alto Networks firewall.
0 kommentar(er)
