How To Configure SSL Forward Proxy Decryption On The Palo Alto Firewall

How To Configure SSL Forward Proxy Decryption On The Palo Alto Firewall | PART 8

Рет қаралды 26,195

Keith Barker - The OG of IT

Күн бұрын

Пікірлер: 39

@fabrice9848 10 ай бұрын

The WAN & only ladies & gentlemen, the OG of IT! Thank you Keith for being so awesome.

@KeithBarker 10 ай бұрын

Thank you @fabrice9848!

@ulimi2002 10 ай бұрын

I'm new to Palo and this series was more than I could hope for. Excellent!

@KeithBarker 9 ай бұрын

Happy to do it, thanks for the feedback @ulimi2002.

@dariusbradford4899 Жыл бұрын

No way! Perfect timing, I got SSL decryption deployment for a customer! Thnx!!

@AlexCruz-mv1gj Жыл бұрын

I've learned more from your videos on this topic than anything that I've used in the past. You will always be my go to for advancing in my career. Thank you!

@joshstickney8695 11 ай бұрын

Wish I had this 3 years ago. Maybe its from having seen it and figuring it out why and how this was done then stepping into a new company, but this explains it so easily. Love your quick and to the point explanations!

@KeithBarker 10 ай бұрын

Thank you @joshstickney8695!

@scottdecker8612 Жыл бұрын

Great playlist. Thank you!

@jamesworley2674 11 ай бұрын

I laughed at the comment about the 400 series being 'slow' to commit at about 2-3 minutes. PA-200 & PA-220 entered the chat/

@GeorgeNoory42069 11 ай бұрын

God forbid you have to reboot a 220 for a software upgrade….

@Tyler-k9b3f Жыл бұрын

you are the best og of it!!!!!

@pooter4e552 Жыл бұрын

Great video! I need to get me a PA440. I've been managing PA820s for the last 4yrs at work for our sites, but I recently got a new job and no Palo Alto lol.

@nxu5107 11 ай бұрын

HI Keith, Thanks for this.I have got decryption up and running on a pilot basis on our network and the first thing we noticed was that it broke, KZbin,. The videos would freeze or not load the thumbnail etc. Could you doa video on troubleshooting t decryption errors please? Thanks.

@leanderjanlargo5690 6 ай бұрын

Amazing! Great video! Thank you for creating such educational and highly nformative content!

@KeithBarker 4 ай бұрын

Happy to do it, thanks for the feedback @leanderjanlargo5690.

@fourtsr Жыл бұрын

Hey @Keith Barker, Thanks so much for these videos. I just installed one PA-440 and am at the Part 8 of this. I have never set up Certificate services on my 2019 AD server. Do you have a how to video on that so I can complete part 8 of the PA-440 configuration?

@KeithBarker Жыл бұрын

Thank you for the question @fourtsr. I don't have one I made, but here are several: kzbin.info?search_query=install+certificate+services+on+domain+controller Happy studies.

@fourtsr Жыл бұрын

@@KeithBarker Thanks Keith. You commented in the beginning of part 8 you had a more in depth video over on CBT nuggets, can you provide the URL for this. I can't seem to find it.

@fourtsr Жыл бұрын

Hey @Keith Barker, WOW! This series of videos is a God Send to me. Thank you so much for making the complex simple. That really is a gift and you have it in spades. Subscribed to you and also to CBT Nuggets, what a find. Thanks again!

@thouston7 2 ай бұрын

Bravo, Well done sir

@KeithBarker Ай бұрын

Thank you @thouston7!

@RayAlejandroGaviriaAlegria Жыл бұрын

Thanks so much for these videos. i needed

@KeithBarker 9 ай бұрын

Happy to do it, thanks for the feedback @RayAlejandroGaviriaAlegria.

@kauffmann1983 4 ай бұрын

but if you set the decryption rule with the port 443 instead in the service https, would the decryption work even for quic?

@KeithBarker 3 ай бұрын

Thank you for the question @kauffmann1983. For QUIC traffic this can be tricky since QUIC doesn’t rely on the traditional TCP-based SSL/TLS. You can configure the firewall to block QUIC, forcing traffic to fall back to TCP, where SSL/TLS decryption can then be applied.

@flower3223 Жыл бұрын

Hi @Keith Barker, Great explanation... One question that arise in my Mind to implement is that "Can we use Wildcard Certs / Purchased public Certs for SSL Forward Proxy so that it will not require to install Certificate on each Client Machine. Regards Nadeem

@KeithBarker Жыл бұрын

Thank you for the question Muhammad Nadeem. The clients need to trust the issuing CA for the cert the FW is using with SSL proxy. That could be an internal CA, where the machines have been configured to trust, or a public CA, that the computers already trust.

@Queztapotel123 Жыл бұрын

@@KeithBarker I've tried it on my android phone, the issue here is that some apps only take their own certificate databas to try to see if it's a valid certificate. So just importing it to the android certificate store wouldn't work for a lot of apps. Buying a public signed just for that seem's a bit an overkill though

@itzmwthunder Жыл бұрын

Hey Keith, I’m currently deploying mine but I dint have a CA server. How can I make the FW self sing it certs without the Server?

@RashidSiddiqui Жыл бұрын

Thanks Keith,

@KeithBarker Жыл бұрын

Happy to do it, thanks for the feedback Rashid Siddiqui | CISSP, CCSP and Related Stories.

@01NetworkSolutions 8 ай бұрын

Thank you Thank You Keith

@KeithBarker 8 ай бұрын

Happy to do it, thanks for the feedback @01NetworkSolutions.

@RayAlejandroGaviriaAlegria 2 ай бұрын

something strange is happening to me, the signatures of the mails in a gmail suite do not load due to decrypt error, can anyone help me, thanks

@omertaskn5413 Жыл бұрын

thanks a lot

@KeithBarker Жыл бұрын

Happy to do it, thanks for the feedback @omertaskn5413.

@zulfikarmahyutan Жыл бұрын

Hi Keith, Great job on the configuration you shown! Just wondering , why when I put the x forwarder for security policy, the connection is reset. I was wonder why this issue happen when using user-id is is okay

@mzero69 Жыл бұрын

Thanks Kaith great video and explanation :). a Quick Question, have you integrate Palo alto with AWS Certificate manager (ACM). I tried but there are some limitarions , dont know if there is a workaround or something that i missed.