Decryption Use Cases: SSL Forward Proxy, SSL Inbound Inspection, and SSH Proxy

Palo Alto Networks firewalls offer robust decryption capabilities to inspect encrypted traffic, enhancing security by uncovering hidden threats. Below are detailed use cases and flow diagrams for each decryption method.

1. SSL Forward Proxy (Outbound SSL/TLS Decryption)

Use Case: Decrypt outbound SSL/TLS traffic from internal clients to external servers to inspect for threats, enforce policies, and prevent data exfiltration.

How It Works: The firewall acts as an intermediary between the client and the server, establishing separate SSL sessions with each. It presents a forged certificate to the client, signed by a trusted internal CA, allowing it to decrypt and inspect the traffic.

sequenceDiagram
    participant Client
    participant Firewall
    participant Server

    Client->>Firewall: Initiate SSL/TLS session
    Firewall->>Server: Initiate SSL/TLS session
    Server-->>Firewall: Server Certificate
    Firewall-->>Client: Forged Certificate (signed by internal CA)
    Client-->>Firewall: Encrypted Data
    Firewall-->>Server: Encrypted Data
    Note over Firewall: Decrypts and inspects traffic between Client and Server
    

References:

• Configure SSL Forward Proxy
• SSL Forward Proxy Concepts

2. SSL Inbound Inspection (Inbound SSL/TLS Decryption)

Use Case: Decrypt inbound SSL/TLS traffic destined for internal servers to inspect for threats and enforce security policies.

How It Works: The firewall requires the server's private key and certificate to decrypt the traffic. It establishes separate SSL sessions with the client and the server, allowing it to decrypt and inspect the traffic before forwarding it to the internal server.

sequenceDiagram
    participant Client
    participant Firewall
    participant Internal Server

    Client->>Firewall: Initiate SSL/TLS session
    Firewall->>Internal Server: Initiate SSL/TLS session
    Internal Server-->>Firewall: Server Certificate
    Firewall-->>Client: Server Certificate
    Client-->>Firewall: Encrypted Data
    Firewall-->>Internal Server: Encrypted Data
    Note over Firewall: Decrypts and inspects traffic between Client and Internal Server
    

References:

• Configure SSL Inbound Inspection
• SSL Inbound Inspection Concepts

3. SSH Proxy (SSH Decryption)

Use Case: Decrypt SSH sessions to prevent unauthorized tunneling and inspect for malicious activities within SSH traffic.

How It Works: The firewall intercepts SSH sessions, establishing separate SSH connections with the client and the server. It inspects the SSH channels to identify and block unauthorized tunneling or malicious activities.

sequenceDiagram
    participant SSH Client
    participant Firewall
    participant SSH Server

    SSH Client->>Firewall: Initiate SSH session
    Firewall->>SSH Server: Initiate SSH session
    SSH Server-->>Firewall: SSH Handshake
    Firewall-->>SSH Client: SSH Handshake
    SSH Client-->>Firewall: Encrypted Data
    Firewall-->>SSH Server: Encrypted Data
    Note over Firewall: Inspects SSH channels for unauthorized tunneling
    

References:

• SSH Proxy Concepts
• Configure SSH Proxy

Caveats and Considerations for Decryption Methods

1. SSL Forward Proxy (Outbound SSL/TLS Decryption)

• Certificate Pinning and Client Authentication: Sessions utilizing certificate pinning or client authentication cannot be decrypted, as the firewall's proxying interferes with these mechanisms. [Source]
• High Availability (HA) Limitations: Decrypted SSL sessions are not synchronized between HA peers, potentially leading to session drops during failover. [Source]
• Quality of Service (QoS) Considerations: Proxied traffic does not support DSCP code points or QoS markings, which may affect traffic prioritization. [Source]
• Certificate Management: Proper management of Forward Trust and Forward Untrust certificates is crucial. Misconfigurations can lead to client trust issues and connectivity problems. [Source]

2. SSL Inbound Inspection (Inbound SSL/TLS Decryption)

• Server Certificate Requirements: The firewall must have access to the private key of the server's certificate to decrypt inbound traffic. [Source]
• Certificate Pinning and Client Authentication: Similar to SSL Forward Proxy, sessions with certificate pinning or client authentication cannot be decrypted. [Source]
• High Availability (HA) Limitations: Decrypted SSL sessions are not synchronized between HA peers, which may result in session drops during failover. [Source]
• Quality of Service (QoS) Considerations: Proxied traffic does not support DSCP code points or QoS markings. [Source]

3. SSH Proxy (SSH Decryption)

• SSH Tunneling Limitations: The firewall cannot decrypt traffic within SSH tunnels, such as X11 or TCP forwarding channels. To prevent unauthorized tunneling, configure security policies to deny 'ssh-tunnel' applications. [Source]
• Authentication Method Constraints: SSH Proxy does not support public key authentication. Clients must use username and password authentication, which may not align with all organizational policies. [Source]
• Quality of Service (QoS) Considerations: Proxied SSH traffic does not support DSCP code points or QoS markings. [Source]
• Key Management: The firewall generates its own SSH host key upon boot. If the firewall reboots and generates a new key, clients may receive warnings about changed host keys, which can disrupt automated processes. [Source]