Palo Alto PCNSA Topic: Chapter 7 – Decryption Part 2
December 19, 2022

4. 7.4 SSL inbound inspection

In this video, we are covering PCNSA 210, which is our chapter on decryption and certificate management. Now this is the fourth video of Chapter 7, which is 7.4 SSL inbound inspection. So SSL inbound inspection is where the firewall will take any incoming encrypted packet or SSL encrypted packet. It will decrypt them or remotely inspect them and make sure that there is no kind of potential threat coming from an external user towards our internal servers. But for this to be enabled, the firewall and the internal server have to share the same private and public keys. So somehow we need to take this private and public key from the server and send it to the firewall, or from the firewall to the server, which I’m going to demonstrate it’s we do that as soon as external user sends an inbound connection or request SSL connection towards our internal server then the firewall is able because it’s got certificate of the server to be able to inspect all. The packets and make sure that there is not some kind of potential threat, as well as applying our security policy rules and security profile. The thing is to remember here that the packet actually is never changing the firewall. All it’s doing is opening the packet because it’s got the key and making sure that there is no threat and then it’s closing them and send them to the server so the packet remains unchanged from the external user to the internal server.

This is a lab topology that I will be using to demonstrate inbound inspection or inbound SSL inspection. I’m going to create a certificate here, so I’m going to create a certificate for the server, for our internal server, with a public key and a private key. And then I’m going to take that certificate and I’m going to export it and then import it into our internal server on our Windows 2016 server. And then we’re going to send a message from Kali Linux from the outside zone towards our inside zone server, for which I created a security policy. To be honest, this internal server shouldn’t be in the inside zone; it should be in the DMZ zone, but for time purposes, I left it in the inside zone. And then, as the packets come into our server, the firewall is going to open those packets and inspect them. Now I’m going to go to my firewall and just show you we’re going to continue from our 7.3 video as well. So if I go to devices and then go to certificate management, we created the certificates in the 7.3 video. So what we’re going to do is create another certificate here, and then we’re going to export the certificate and import it to our server, right? Okay. So to generate a certificate I’m just going to say click on the generate and let me press F eleven we can see it nicely. And this certificate is going to be for Web 2016 or an external server, sorry, or an internal server. And the common name in here, I’m going to put an IP address of our server which is 1921-6812 and signed by I’m not going to leave it, I can say self signed certificate already but I’m going to create brand new so certificate, authority, everything else, I’m going to leave it to the default and generate this. Okay? So as we can see they have generated successfully a keypad for that web server. Okay? So now we have generated that certificate. What I’m going to do is I’m going to export that certificate to my server. So click on that certificate for 2016 and select export certificate. Now I’m going to export the private and public keys.

So I need to encrypt the private key here and certificate PKC to S twelve and then the passphrase, I’m just going to use Palo Alto as a passphrase and click OK, now that certificate has been exported and it’s on my download folder. So I see it in the folder, and I’m going to copy this to my server. Okay. So if I go to my server here and I’m just going to paste that certificate, which is this one here, Now on this server, I have an IS running, and I’m going to import this certificate to Internet Information Services. Okay, so I click “Start” and then select “Internet.” And it’s going to come internet Information Services. So this is a web server as well. So what I’m going to do is actually import a certificate onto this server. So server certificates, click on that and then select import and find where it is, which should be on the desktop, and I’ll choose all certificates. There you go, that one. And the password was “Hello, Alto,” and “certificate store.” I’m going to use it for web hosting. Okay, so now that we’ve got that imported, I’m going to go to my sites, and on the default website, I’m going to have an SSL. I’m going to bind it to that certificate for four, four, three, so add Https and the certificate is going to be using is this one and click okay, close. Okay. So now we have to configure the inbound SSL decryption, which is under policies.

I press decryption, and I’m going to create a new one here. So add it, and this is going to be SSL inbound or inverse SSL inbound, and you can fill in the description tags and so on, but it’s going to leave it empty. Source is going to be from any machine from outside. And the destination? Any user, any address destination, is going to be on the inside. And the destination address? Well, it’s going to be to the public address, which is 2 or 3011-350. And any services, any URL option. I’m going to have it decrypted. But it’s not going to be an SSL forward proxy this time. It’s going to be an SSL inbound inspection. And the certificate that I’m going to be using for that is this one here that we sent along with the decryption profile. We leave it in here, click OK, and I’m going to commit it, and then we go and test it. Okay, now that the commit has been successfully completed, we can go to Kali Linux and access it. Okay, now that I’m in Kali Linux, all I’m going to do is open the web browser and access that server using encrypted methods. So HTTP addresses two, or 1350. And if I go down to my firewall under the monitoring, I should see some traffic has been decrypted. I should see something from outside to inside. So it’s there we go some outside. That’s my calendar Linux to my server inside two or 30 1321.And this is destination 50, and it says decryption.

5. 7.5 Other decryption topics

In this video, we are covering Penza, and this is our chapter seven on encryption and certificate management. Now this is the fifth video of chapter seven which is 7.5 other decryption topics unsupported application for example, some application might not work with SSL forward proxy. There could be an application that use client side certificates or they are nonce compliant applications or maybe the servers are using some unsupported cryptographic settings. So, for example, some websites may fail when we try to decrypt them, and if they do fail, we need to put them in. Well, the Firewall will put it to exclude cache and then decryption will not be attempted again for another 12 hours after that has first occurred. Now, after 12 hours, the firewall will attempt to decrypt the traffic from the same website again. And if decryption fails again, the website is added again to the cache, and the process will start over. To avoid this failure every 12 hours, for the site that is known, we can add it to the decryption exclusion list, which we’re going to see very soon. And if it is added, any sites that have been added to the exclusion list or exclusion cache will show that the command show system is set to SSL decrypt, exclude cache, or exclude cache. I’m going to show you this on my firewall, but at the moment I don’t have anything excluded. So I’m going to open Putty here and access my management interface at 192-168-1254. here I’m going to log in as admin, and then I’m going to use the command to see if any sites have been added to the exclusive cache; the command is “show system setting SSL decrypt exclude cache.” Let me see—I made a mistake somewhere. SSL decrypt exclude CNL wrong way around. Okay, so as you can see, nothing has been added to the cache. But if there’s something added, it will remain there for 12 hours, and then the process will start. We’ll try again, and if it fails, it will be added for another 12 hours. But if we know there’s a site that’s already going to fail on exclusion, we can add that to the list already, and there’s a list already there. So we can go to Device certificate management and we have slipped exclusion. So here we have the sites that are exclusive for decryption, and there could be many reasons why they’re there. Maybe they are not RFC compliant, or maybe they have some kind of application that will use some kind of client certificate, or maybe the firewall does not support the SSH version required. But anyway, if we know the site is going to fail, we can add it here. So click Add and then put the website. So to add the decryption exclusion list, we can go to Device Certificate Management, SSL decryption exclusion, and then add it here if, for example, we have no decryption policy. So even if we have no decryption policy, we will not decrypt. The decryption profile can be configured to block sessions with expired or untrusted certificates. Now, if you remember a span switch port analyzer where we take the packets and we send them to analyzing device or monitoring device. They are same to the decryption port mirroring where we can take the packets, we can decrypt them and we send them to analysis device. So decrypted data flows out of the dedicated interface on the firewall, and this will be used for, for example, data loss prevention and network forensics. It does require a free license for selected firewalls, so we can see in the PowerPoint presentation that not all firewalls support this PA 3000, PA 5000, or 207,000; they support decryption port mirroring, and they do require the decrypt license, which is free now. Decryption broker Apollo Alto Network’s next-generation firewall can provide a single central point for decrypting all of your network traffic. The decryption broker enables the firewall to forward plain text traffic to a security chain for additional enforcement, which provides complete visibility into network traffic. So the main firewall will perform a policy check, decrypt SSL traffic, inspect and enforce clear text traffic, and forward allowed clear text traffic to the security chain, which will actually analyses the allowed traffic and add additional enforcement. And the security chain will return the allowed traffic to the firewall, which will encrypt it and send it forwarded to the original destination. Hardware security modules, or HSMs, are physical devices that generate, store, and manage digital keys. It provides logical and physical protection for the firewall. Private keys from non authorized use use dedicatedHSM to manage the certificate sign in function for SSL forward proxy, SSL inbound inspection and master key storage function decryption in the traffic log you can use the traffic log to determine whether SSL session are being decrypted. If the log entries contain a packet capture, the packet capture will be encrypted because the packet capture will be happening before decryption. You can also search the decryption traffic by using a log filter. Flag has a proxy for troubleshooting SSL session termination. Now SSL sessions can be terminated for reasons that might include expired service certificates, unsupported cypher or protocol versions, untrusted certificate issues, unknown certificate status, and SSL timeout events. We can create our own log filter if we click in there and select “session end reason.” If we choose either of these, we can see if there is some kind of troubleshooting for SSL.

6. 7.6 Lab Decryption

So we’re going to do it. The first thing is that we’re going to do a self-signed CA here on the firewall, and obviously this is going to have a public key and this is going to have a private key. The private key will be secure in the firewall, but we’re going to take this public key, we’re going to export it and import it on the client machine, and then we’re going to create two more certificates here, a trust certificate that will be signed by the ACA and an entrust certificate that will not be signed by anything.

When the client is accessing some website that we trust, we’re going to send this certificate as allowed, and when the client is accessing some kind of untrusted website, we’re going to send this certificate, and then during inbound inspection, we’re going to test it from Kali Linux as well as create a management interface. So there’s a lot of stuff here we’re going to COVID Okay? So now I’m going to access my firewall, and everything is cleared. So I reset everything, removed all the certificates, and we’ve been playing around with our lessons, and in here I’m going to create one certificate that’s going to be a self-signed certificate, a certificate authority, and then I’m going to export that certificate to our client machine, import it into the client machine as a trusted certificate. Whatever the certificate is on signs it will be trusted by client.

So I’m click here generate and in certificate name I’m just going to say it as a self signed so type self CA and on the common name I’ll put the IP address of my firewall. So 1921-6811 we’re not going to have any signed by external authority certificate signing request because we just practice it all. We cannot become our certificate authority by default. If you leave it as it is, nobody will trust it. But in our enterprise, we can send the public key because it’s trusted by all our clients, and then they will trust it. OSCP responder: I’m going to leave it alone. Everything else—cryptographic settings, certificate attributes—I’m going to leave alone. And if you want to know more in detail then 7.2 Isa video that we went in more detail in this information. So I’m going to click “generate,” and as you can see now, it says that our key pair has been generated as well as the certificate successfully. So we have a private and public key, and we can see that this is our certificate authority certificate and all the information is here. What we’re going to do is I’m just going to click on there, and I’m going to make this a trusted root CA click, okay?

And before I export it, I like to commit it and then export it. Okay? Now the commit has been completed successfully. I’m going to select the certificate and export it. I can do base 64-encoded certificate pamphlets without just a public key. I can do binary encoded or encrypted private key and certificate Paces twelve. I’m just going to use base 64. So I’m going to leave it at that. I’m not going to export the private key, just a public key click, okay. And that’s a key export. Now if I go to the client machine, I’m going to import that key into the certificate store. So to access that, I go to the shared folder between my main PC and this virtual machine. So host shared folder, that’s the certificate I have. So I’m going to right-click, say, copy and paste it on the desktop here, close this shared folder, and that’s a certificate that I’m going to import it.And to do that, I’m just going to click Start on the virtual machine, type MMC, and hit Enter. Okay? So from here, I’m going to add a certificate snap in’s file add, remove, snap ins and here’s certificates add and the certificate snap in. The snap in it will always manage certificates for my user service account or computer. This is going to be a computer account. So click Next and select the computer.

Well, this is going to be a local computer. And finish, okay? So that’s our certificate store, and these are all our certificates. We don’t have anything under the personal, but we have under trusted root certificate authorities, we have some certificates there. So if I click, that’s how we trust by default. So that certificate to import it, I’m going to right click all tasks import and click next year and the location is under the desktop. Okay? So click “next” and “finish.” Now, once the certificate is imported to the client machine, any certificates that that certificate signs will be trusted by this client machine, and you can do that in the group policy rather than one by one machine. So here’s a certificate. Okay. Now I’ll go back to my firewall, and I’m going to create two more certificates. One, I’m going to create a signed forward trust certificate that is going to be signed by this self-signed CA. And I’m going to create anon signed forward entrust certificate.

So two more certificates generate, and here I’m going to say forward trust CA and the common name, and I’m just going to keep it the same way as here and signed by, well, this is going to be a self-signed CA that is going to sign it, and this is going to be a certificate authority as well. I’m not going to export it so I can close that and generate and then I’m going to generate another certificate. But this certificate is going to be untrustworthy. So going forward, entrust CA and the common name, I’m just going to keep it the same, and this is not going to be signed by anything, right? So I’m going to leave it blank. I’m going to create this as a certificate authority. and you can see the hierarchy now. Yeah. This certificate, as you can see right away, is being signed by this certificate, while this is just on its own. So forward trust if I just click on it and then I’m going to select forward trust certificate, okay? And here I’m going to select forward entrust certificate.

That’s it. Now we are almost done. So now we’re going to create an SSL forward proxy which is configure an SSL forward proxy outbound. So anything that our computer does outside of certificates in encrypted format, the firewall will be able to decrypt that and see what’s happening. So to do that, I need to go to Policies and Decryption, and I will add a new one. So add that, and here I’m going to call it an SSL forward proxy. Okay? I’m not going to write anything in the description or tags or anything else. So source is going to be anything from inside zone destination, anything to the outside zone and any services, any URL. What we’re going to do, we’re going to decrypt it and we’re going to leave SSL forward proxy. You see, we have three types of decryption. SSL forward proxy, SSH proxy, or SSL inbound inspection. So we’re going to do an SSL forward proxy. We don’t have anything in the decryption profile, but I’m going to do that and then come back here and edit this. So click okay here. Okay? To configure a decryption profile, I need to go to objects, and then at the end, we have a decryption profile. We have a default one, which we’re going to accept from anyone. I’m just going to clone this and use it.

So clone this and change the name to “I’m just going to say I’m just going to take all of this.” I’m going to make it very strict, block sessions with an expired certificate, entrust issuers, and so on, right? So all of them So I’m not going to do the inbound inspection or SSL protocol because this is just for SSL forwarding anyway. So click okay. And I’m going to go back to my policies and edit that. So under option, I just put “decryption profile” as “astray decryption profile” and clicked okay; now we’re ready. We’re done. So we have configured an SSL forward proxy. We’re just going to test it. So commit, okay. Now that the commit has been completed successfully, we can go and test it, right? So I’ve got nothing on the hit count here. So what I’m going to do is go to this client machine and open a browser. We’re going to try and download an anti-malware test file. So if I go to HTTP and then and here, I’ll find my antivirus test file. Now, by default, if decryption didn’t work, we wouldn’t be able to find out that it’s an anti-malware test file, and if I look at the certificate here, the certificate will be issued by ourselves.

So you can see it is now issued by a forward trust CA, which means our firewall has issued this certificate as a forward trust certificate. So, that already means I can see the inbound inspection is working. I can download that anti-malware file. And if the certificate or inbound inspection didn’t work, because this is encrypted, we should be able to download it. But because encryption is working or inspection is working, the firewall notes, “Oh hold on, that’s a virus.” It’s not letting us download it. And I can try other it will block all of them anyway. So to monitor this, I can go take a look at the monitor and then traffic. And you can see all these packets from our internal machine towards outside they’re being decrypted. So yes, yes, in decryption. And on the threads, we can see that just the two files that I tried to download have been decrypted. I have already a packet capture, but this is the encrypted packet capture. And I can open this magnifying glass and see that it has reset the server. And you can see that we have decrypted packet capture and server to client has reset the server. Okay, so our SSL forward proxy is working as it should. Excellent.

So the next thing that we’re going to do is we’re going to create a management certificate, and we’re going to sign it with our self-signed certificate. And then we’re going to try to access our management access. And it should actually not give us this not secure. Okay. So we’re going to create one more certificate. And on this certificate, we’re going to create it for management purposes. And that’s going to be a self-signed CA. It’s going to be signed by self signed. Okay? So I’m going to call it MGT CA. And the name is going to be the same: Mgt. Actually, in the name, I’m going to put the IP address of the server: 192-168-1254. And this is going to be signed by a self-signed CA. Because all my devices trust this self-signed CA, So now I’m going to generate that certificate. Excellent. And as you can see, there’s already a hierarchy; I can tell that that’s been signed by this certificate. I’m going to use this certificate on this SSLTLS service profile and then on the management interface. So SSL service profile I click add and I’mgoing to create Mgt and then certificate I’m goingto use this is management CA and click OK.And then once I got that, then I have to goto setup and under management on the general setting Ssltls serviceprofile there I’m going to use Mgt and that’s it.I’m going to click okay. And now I’m going to use that certificate to authenticate that interface. Okay? So we commit, and then we go and test it. Okay.

The committee has worked. And now I can see that it says the web server will be restarted upon successful commit of this configuration. So I need to restart this. So refresh it for five, and the connection is not private because it’s issuing me a different certificate. Okay, the next thing I’m going to do is go to my machine on the client machine and try and access that because that should trust the certificate, the management certificate. So I’m actually going to open Internet Explorer private browsing, and the address is https:/192-168-1254, and as you can see, I don’t have that. We don’t trust this certificate or anything. It’s just that I went straight in without a problem, and it didn’t warn me, “Do you want to go forward?” and so on like it did on my main machine, which I don’t trust the certificate for. Okay, that shows that it verifies the secure management access, and I can log in here, but really, I don’t have to spell it correctly, and I’m okay to log in there as well. So now you can see it trusts a certificate, and if I look at the certificate, that’s a certificate issued by 2192-168-1254 by 1921-6811, and we trust that issuer.

And if I click on the certification path, you can see that that certificate has been issued by this certificate. And this one we do trust it.Okay, excellent. The last thing that we’re going to do is we’re going to configure, well, I’m going to put this machine in Pose because now we’re going to tone down the Windows server machine and the Kali Linux, and I can’t run all the machines, but I’m going to configure inbound SSL inbound inspection. Now for that I do need another certificate and Ineed to go to the device and certificate management andthen certificates here I’m going to create a certificate for the web server, and I’m going to copy that with a private and public key to my web server, right? So I’m going to generate and it’sa web server server, 2016 certificate. And the common name I’m going to put in that web service address So 1921-6812 is the web service address and this certificate gain is going to be signed by self signed.Well this certificate, I’m going to make it as a certificate authority, as a self signed certificate. I’m not going to sign anything, right? So I’ll generate that. Okay, now I’m going to take this certificate and export it, but this time I’m going to export it with the private key. So export certificate and use PKcs twelve and the pass phrase I use Palo, Palo Alto. Okay, now this has the private and public key in there. So if I look in the folder, this certificate is for a web server. So if I right-click this and copy, I’m going to copy this to my web server. So let me start this resume.

Okay, now I’m on the web server. So I can right-click here and just paste my certificate, and then I’m going to import this into Internet Information Services, which is my web server. So start the Internet, and it should come up. There we go. And in here on the client2016, I’m going to serve certificates. I’m going to import it here. Okay. It’s on the desktop. So I’m going to change this and the certificate. Okay, the password was PaloAlto, and the store stored certificates. Well, I’m going to use it for web hosting. Excellent. And the next thing is that I’m going to bind this certificate to my site. So I go to the default site, and then SSL settings bind this to HTTP. So add https, and the certificate is going to be 20. There we go. Excellent. And now we need to go back to the firewall and enable inbound inspection. So configure inbound inspection. So I need to go to policies and in the description add and I put here as a name inbound SSL inspection. And the source is going to be, well, anyone from outside, and the server is located on the inside but really should be in the DMZ zone. And for destination address, well, this is going to be for the IP address of the server, which is the public address, or two or three, two or 3011 or 350, is the IP address.

And I’ll show you that on the net that’s going to be translated to my internal server services, any services, any Orland what we’re going to do here, we’re going to do decrypt, but we’re going to do the inbound inspection or SSL inbound inspection. And the certificate that we’re going to be using is the web service certificate. And click okay, now if I go to Nat and Icon show you the outside to inside, anything to that address, two or 30 1350 will be translated to that address. That’s the service address. I’ll commit this, and then we can go and test it. Okay, excellent. Commit has been completed successfully. So now I’m actually going to go. So I got the decryption here. See, we already have some forward proxy, SSL forward proxy, but this is SSL inbound inspection. So I’m going to go to my Kali Linux, enable that, and I’m going to open the web browser. I’m going to try and access my server using SSL, and then that should have an inspection running. So https 2030 one 1350.Okay, there’s some problem here with SSL errors. No cyber overlap. But if I go to my firewall and if I refresh this, I should see something coming up here. Yeah, there we go. There’s one here that just came from outside. And the IP address of that is dot 21, I think in the end. There we go, tab one. So you can see that’s from outside to inside, two or three dots, 1321, to that address. It’s been allowed, and there is a decryption there. If I click on that packet with more information, it says it’s incomplete because of some decryption errors there. But we can see the inbound inspection is actually working and is able to decrypt it.

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!