SSL Inbound Inspection: Peering Inside Encrypted Traffic to Your Servers

What is SSL Inbound Inspection?

SSL Inbound Inspection is a feature on Palo Alto Networks firewalls that allows the firewall to decrypt and inspect SSL/TLS traffic destined for internal servers (e.g., internal web servers, application servers) hosted behind the firewall. By decrypting this incoming traffic, the firewall gains visibility into the application and content within the encrypted session.

This visibility is essential for applying effective security measures, including:

Threat Prevention: Detecting and blocking malware, vulnerabilities, spyware, and malicious commands hidden within encrypted traffic targeting internal servers.
Accurate App-ID: Identifying the true application running over SSL/TLS (not just identifying it as 'ssl'), allowing for more granular Security Policy control.
URL Filtering: Applying URL category filtering to requests destined for internal web servers (less common for inbound but possible for policy or logging).
File Blocking/Data Filtering: Preventing malicious file uploads or sensitive data exfiltration over encrypted channels from/to internal servers.
Compliance: Meeting regulatory requirements that mandate inspection of encrypted traffic to protected servers.

This is distinct from SSL Forward Proxy (Outbound Inspection), where the firewall decrypts traffic initiated by internal clients going to external websites.

     Clearly differentiate SSL Inbound Inspection (protecting internal servers) from SSL Forward Proxy (inspecting user traffic to the internet). SSL Inbound Inspection decrypts traffic *to* your servers, while SSL Forward Proxy decrypts traffic *from* your users.
    

Core Concept: Man-in-the-Middle (MITM) with Server's Key

SSL Inbound Inspection works by placing the firewall in a Man-in-the-Middle (MITM) position between the external client and the internal server.

     
      Critical Requirement:
     
     For the firewall to successfully decrypt the incoming session and impersonate the internal server to the external client, it
     
      MUST
     
     possess the internal server's actual SSL/TLS certificate
     
      AND
     
     its corresponding private key.

The process unfolds as follows:

An external client initiates an SSL/TLS connection to the public IP address associated with the internal server (this might be a NAT address or the firewall interface).
The firewall intercepts this connection attempt based on a matching Decryption Policy rule.
The firewall uses the imported server certificate and private key to complete the SSL/TLS handshake with the external client, essentially pretending to be the real server.
Simultaneously, the firewall initiates a separate SSL/TLS connection to the actual internal server. During this server-side handshake, the firewall acts as a client and validates the server's certificate like any regular client would (unless checks are disabled in the decryption profile).
The firewall now sits in the middle, decrypting traffic from the client, inspecting it, then re-encrypting it (if the connection to the internal server is also SSL/TLS) and sending it to the server. The process is mirrored for return traffic.

This allows the firewall's security engines (App-ID, Threat Prevention, etc.) to inspect the clear-text application data flowing between the client and the server.

Simplified SSL Inbound Inspection MITM Flow

Common Use Cases & Benefits

SSL Inbound Inspection is invaluable in various scenarios:

Protecting Web Servers: Inspecting traffic to public-facing web servers (e.g., e-commerce sites, customer portals, company websites) for web application attacks (SQL injection, XSS), malware uploads, and command-and-control communication attempts targeting the server.
Securing Application Servers: Protecting critical internal applications (e.g., email servers like Microsoft Exchange, SharePoint servers, custom API endpoints) from exploits and data breaches attempted over encrypted channels.
DMZ Security Enhancement: Adding a strong layer of threat prevention for any SSL/TLS-enabled service hosted in a Demilitarized Zone (DMZ).
Granular Access Control: Leveraging accurate App-ID post-decryption to enforce specific application-aware security policies. For instance, allowing `microsoft-exchange-activesync` but blocking `microsoft-exchange-owa` for certain user groups to the same Exchange server.
Data Loss Prevention (DLP): Using Data Filtering profiles to inspect decrypted outbound responses from internal servers, preventing accidental or malicious exfiltration of sensitive information (e.g., credit card numbers, PII).
Compliance Mandates: Fulfilling requirements from standards like PCI DSS, HIPAA, or GDPR that may necessitate inspection of traffic to and from systems handling sensitive data.

Key Benefits:

Enhanced Security Posture: Drastically reduces the attack surface by eliminating the blind spot created by encrypted traffic to servers.
True Application Visibility and Control: Enables precise identification and control of applications, irrespective of them running over SSL/TLS.
Comprehensive Threat Prevention: Allows all security services (IPS, Antivirus, Anti-Spyware, WildFire) to analyze the full payload.
Regulatory Compliance: Helps organizations meet stringent data security and privacy regulations.
Forensic Capabilities: Provides detailed logs of decrypted traffic, aiding in incident response and investigation.

Key Prerequisites for SSL Inbound Inspection

Before configuring SSL Inbound Inspection, ensure these critical components and configurations are in place:

Server Certificate and Private Key:
- The exact SSL/TLS certificate currently used by the internal server that clients will connect to.
- The corresponding private key for this server certificate. The private key MUST be exportable from the server or Certificate Authority (CA) where it was generated/stored. Without the private key, inbound inspection is impossible.
- The certificate and key are typically in PEM or PKCS#12 (PFX) format.
Full Certificate Chain (Highly Recommended):
- If the server certificate is signed by one or more Intermediate CAs, importing the full chain (Server Cert -> Intermediate CA(s) -> Root CA) onto the firewall is crucial.
- While the firewall primarily uses the server cert and private key to impersonate the server to the client, having the chain helps in certain validation scenarios and ensures clients receive a complete chain they can trust.
Firewall Licensing: Ensure appropriate subscriptions are active for Threat Prevention, WildFire, etc., as these are the services that will inspect the decrypted traffic. Decryption itself is a core feature.
Supporting Network Configuration:
- Correctly configured Interfaces, Zones (e.g., Untrust for external, DMZ/Trust for internal servers), and Virtual Routers.
- Destination NAT (DNAT): Often required if external clients connect to a public IP address on the firewall, which then needs to be translated to the internal server's private IP address.
Security Policy for Initial Connection: A Security Policy rule must exist to allow the underlying (pre-decryption) SSL/TLS traffic (typically HTTPS on TCP/443). This will be detailed later.

     The absolute #1 requirement for SSL Inbound Inspection is having the server's certificate AND its private key. If you cannot obtain the private key, you cannot perform SSL Inbound Inspection for that server.
    

Certificate Deep Dive for Inbound Inspection

Understanding SSL/TLS certificates is fundamental to implementing inbound inspection correctly.

Certificate Components:

Server Certificate (Public Key Certificate): This is the digital document that binds a public key to an identity (e.g., your web server's hostname). It's issued by a Certificate Authority (CA). It contains information like the server's domain name (Common Name or CN), Subject Alternative Names (SANs), public key, validity period, and issuer details.
Private Key: This is the secret, corresponding key to the public key in the certificate. It's used by the server (and in this case, the firewall) to decrypt data encrypted with the public key and to sign data (like the SSL handshake messages) to prove its identity. Its security is paramount.
Intermediate CA Certificate(s): CAs often use a hierarchical structure. A Root CA might sign an Intermediate CA, which then signs server certificates. These intermediate certificates form a "chain of trust."
Root CA Certificate: A certificate from a trusted Root CA, which is self-signed. Operating systems and browsers have a pre-installed list of trusted Root CA certificates.

Example Certificate Chain of Trust

Certificate Formats:

PEM (Privacy Enhanced Mail): Base64 encoded ASCII files. Often have extensions like .pem , .crt , .cer , .key . Can contain certificates, private keys, and chains. This is a very common format for Palo Alto Networks firewalls.
```
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MII...
-----END PRIVATE KEY-----
```
PKCS#12 (PFX): A binary format, typically with .pfx or .p12 extension. It's a password-protected archive that can bundle the server certificate, any intermediate certificates, and the private key into a single file. Convenient for import if your CA provides it.
DER (Distinguished Encoding Rules): A binary format for certificates. Less common for import directly if a private key is also needed, as PEM or PKCS#12 are preferred for bundling. Extensions can be .der or .cer .

Certificate Trust and Validation by External Clients:

When the firewall performs SSL Inbound Inspection, it presents the actual server certificate (that you imported) to the external client. Therefore, the external client's trust is based on this original server certificate:

The client's browser/OS must trust the Root CA that ultimately signed your server certificate. This is usually the case for publicly trusted CAs (e.g., Let's Encrypt, DigiCert, GoDaddy).
The certificate must be valid (not expired, not revoked).
The hostname the client is trying to reach must match a name in the certificate's CN or SAN fields.
The client should receive the full certificate chain (server cert + any intermediates) up to a trusted root. The firewall should send this if the chain is correctly configured/imported.

Unlike SSL Forward Proxy (Outbound Inspection) where the firewall generates and signs a new certificate using its own subordinate CA, SSL Inbound Inspection uses the real server's certificate . This means clients will not see a certificate signed by the firewall; they will see the legitimate server certificate.

Managing Certificates on the Firewall:

Import: You must import the server certificate and its private key. If intermediate CAs are involved and not already trusted by the firewall or common public CAs, import them too.
Renewal: When the server certificate is due for renewal, you must obtain the new certificate and its private key, then update it on the firewall. Failure to do so will cause inbound decryption to fail and clients to see certificate errors.
Security of Private Keys: Since the firewall holds a copy of your server's private key, the firewall itself becomes a very sensitive device. Secure administrative access to the firewall and its configuration backups rigorously.
If the firewall's configuration (which contains the private key) is compromised, an attacker could potentially impersonate your server.
Wildcard Certificates: (e.g., *.example.com ) Can be used for inbound inspection if your server uses one. The firewall will use this wildcard certificate to protect multiple subdomains.
SAN (Subject Alternative Name) Certificates: These certificates can secure multiple, different hostnames with a single certificate. If your server uses a SAN certificate, ensure it's correctly imported.

     Understand the difference in certificate handling between Inbound Inspection (uses actual server cert + key) and Forward Proxy (uses a firewall-generated cert signed by a forward trust CA). Also, know the importance of the private key and certificate lifecycle management.
    

Supported Cryptographic Algorithms & Perfect Forward Secrecy (PFS)

The Palo Alto Networks firewall's ability to decrypt SSL/TLS traffic depends on the negotiated cipher suite between the client and the firewall (acting as the server). The firewall maintains a set of supported ciphers for decryption purposes.

General Support:

Palo Alto Networks firewalls generally support a wide range of modern and strong cryptographic algorithms. The exact list can vary slightly by PAN-OS version and hardware platform, but typically includes:

Symmetric Encryption Algorithms (for bulk data encryption):
- AES-GCM (e.g., AES-128-GCM, AES-256-GCM) - Preferred for performance and security.
- AES-CBC (e.g., AES-128-CBC, AES-256-CBC) - Still common.
- ChaCha20-Poly1305 - Modern, secure, and performant.
Hashing Algorithms (Message Authentication Codes - MACs, and for signatures):
- SHA-2 family (SHA-256, SHA-384, SHA-512)
- Poly1305 (when used with ChaCha20)
Key Exchange Algorithms:
- ECDHE (Elliptic Curve Diffie-Hellman Ephemeral): Provides Perfect Forward Secrecy (PFS). E.g., ECDHE-RSA, ECDHE-ECDSA. This is highly preferred.
- DHE (Diffie-Hellman Ephemeral): Also provides PFS, but ECDHE is generally more efficient.
- RSA: Used for key exchange if PFS ciphers are not negotiated. Does NOT provide PFS.
TLS Versions:
- TLS 1.3 (Preferred)
- TLS 1.2 (Widely supported and secure)
- TLS 1.1 and TLS 1.0 (Generally deprecated and should be disabled if possible for security reasons. Firewall can be configured to block or allow decryption of these older versions).
- SSLv3 (Obsolete and insecure. Should be blocked).

Perfect Forward Secrecy (PFS):

Yes, Palo Alto Networks firewalls support Perfect Forward Secrecy (PFS) for SSL Inbound Inspection , provided that:

The external client supports and offers cipher suites that use ephemeral key exchange (ECDHE or DHE).
The firewall (using the imported server's certificate type, e.g., RSA or ECDSA) can negotiate such a cipher suite.

When PFS is used, a unique session key is generated for each SSL/TLS session and is not derivable from the server's long-term private key. This means that even if the server's private key (stored on the firewall) were to be compromised in the future, past recorded encrypted sessions could not be decrypted.

For SSL Inbound Inspection, the firewall uses the imported server's private key primarily to authenticate itself as the server during the handshake. If an ECDHE or DHE cipher suite is negotiated, the actual symmetric encryption keys are derived from the ephemeral Diffie-Hellman exchange, independent of the server's static private key (though the private key is used to sign the DH parameters to prevent MITM on the key exchange itself).

Unsupported Cipher Suites:

If a client and the firewall (impersonating the server) cannot agree on a mutually supported cipher suite that the firewall can decrypt, the connection might be:

Blocked: If configured in the Decryption Profile to block unsupported modes.
Bypassed (No Decrypt): If configured to allow unsupported modes, the traffic will pass through encrypted and uninspected by the decryption engine (though still subject to standard Security Policy matching on L4 info).

It's generally recommended to stay updated with PAN-OS releases, as they often include updates to cipher suite support and cryptographic libraries.

     Know that PFS is supported and desirable. Understand that the firewall must support the negotiated cipher suite. Recognize common strong algorithms like AES-GCM and key exchange like ECDHE. Be aware of how unsupported ciphers are handled based on Decryption Profile settings.
    

You can typically view the list of supported ciphers for decryption via CLI commands like


      debug dataplane show ssl-decrypt ciphers-supported type inbound

or by checking the Palo Alto Networks documentation for your specific PAN-OS version.

Configuration Step 1: Import Server Certificate and Private Key

This is the foundational step. The firewall needs the server's identity to impersonate it to external clients.

Obtain Certificate and Key:
- The server's public certificate (e.g., server.crt ).
- The server's private key (e.g., server.key ). Ensure it's not password protected, or if it is, you know the passphrase. If you have a PKCS#12/PFX file (e.g., server.pfx ), this contains both and will prompt for its import passphrase.
- Any necessary intermediate CA certificates.
Import into Firewall:
- Navigate to Device > Certificate Management > Certificates .
- Click Import .
- Certificate Name: Give it a descriptive name (e.g., `WebServer-Prod-Cert`). This name is used in the Decryption Policy.
- Certificate File: Browse and select your server certificate file (PEM, DER) or the PKCS#12 bundle.
- If importing a PEM/DER certificate, check the box Import Private Key .
  - Key File: Browse and select the private key file.
  - Passphrase: If the private key file itself is encrypted, enter its passphrase here.
- If importing a PKCS#12 file, it will typically prompt for the Passphrase used to protect the PFX bundle. The private key is part of this bundle.
- Important Security Option: Mark Private Key Exportable .
  DO NOT check "Mark Private Key Exportable" unless absolutely necessary for specific, documented operational reasons (very rare). Leaving it unchecked enhances security by preventing the private key from being exported from the firewall's configuration backups or GUI/CLI.
- Click OK .
- Verify: After import, verify the certificate shows "Valid", the "CA" column is unchecked (unless it's also a CA cert, which is unlikely for a server cert), and importantly, an icon indicating it has a private key associated with it is present.
Import Intermediate/Root CAs (If Necessary):
- If your server certificate is signed by an intermediate CA that is not a well-known public CA (or if you want to be explicit), import the intermediate CA certificate(s).
- For these, you would not import a private key. You might check "Certificate Authority" if it is indeed a CA.
- The firewall uses these to build the chain it sends to clients and for validating the server-side connection. Many public CAs are already in the firewall's default trust store.

     Remember the GUI path for certificate import. Know that the private key is essential and the security implication of the "Mark Private Key Exportable" option.
    

Configuration Step 2: Create a Decryption Profile (Recommended)

While you can configure some decryption parameters directly in the policy rule, using a Decryption Profile offers more granular control over how SSL/TLS sessions are handled for inbound inspection.

Navigate to Objects > Decryption > Decryption Profile .
Click Add .
Name: Give it a descriptive name (e.g., `Inbound-Standard-Inspection-Profile`).
Go to the SSL Inbound Inspection tab (this tab may be part of a general "SSL Decryption" or "SSL Protocol Settings" tab depending on PAN-OS version).
Key Settings to Review/Configure:
- Unsupported Protocol Versions (e.g., SSLv3, TLS 1.0, TLS 1.1):
  - Action: Block session (Recommended for old/insecure versions) or No decrypt .
- Unsupported Cipher Suites:
  - Action: Block session or No decrypt (Recommended: Block, to ensure only inspectable traffic is allowed).
- Server Certificate Verification (Firewall-to-Server connection):
  - Block sessions if certificate is untrusted: When the firewall connects to your actual internal server , it acts as a client. This option ensures the firewall validates the internal server's certificate. Recommended to keep checked unless there's a specific reason (e.g., internal server uses a self-signed cert and you accept the risk).
  - Block sessions if certificate status cannot be checked (OCSP/CRL): If OCSP/CRL checks are enabled for the server-side connection and fail.
  - Block sessions with expired certificates: Recommended.
- Client Authentication (Less Common for Inbound):
  - Controls how the firewall handles requests for client certificates from the internal server. If your server requires client certificate authentication, SSL Inbound Inspection is generally problematic as the firewall terminates the client's SSL session. Workarounds might exist but are complex. See Caveats .
- Session Renegotiation:
  - Allow SSL renegotiation: Can be allowed or blocked. Secure renegotiation is generally fine. Legacy insecure renegotiation should be blocked.
- Hardware Security Module (HSM) Integration: If you use an HSM to store the private keys for inbound inspection, configure it here. This is an advanced setup for very high-security environments.
Click OK .

     Know the purpose of a Decryption Profile and common settings like handling unsupported versions/ciphers and server certificate verification options. For SSL Inbound Inspection, the key settings are under the "SSL Inbound Inspection" (or similarly named) section of the profile.
    

For most standard SSL Inbound Inspection use cases, the default settings within a new Decryption Profile for the SSL Inbound Inspection tab are often a good starting point. However, always review them against your organization's security policy, especially regarding how to handle unsupported protocols/ciphers and certificate validation options for the firewall-to-server connection.

Configuration Step 3: Create a Decryption Policy Rule

This rule tells the firewall which traffic to decrypt using SSL Inbound Inspection.

Navigate to Policies > Decryption .
Click Add .
General Tab:
- Name: Give it a descriptive name (e.g., `Decrypt-Internal-WebServer-Prod`).
- Tags: Optional, for organization.
Source Tab:
- Source Zone: Select the zone(s) from which external clients will connect (e.g., `Untrust`, `External`).
- Source Address: Typically `any`, or specific external IP ranges if known.
- Source User: Usually `any` for inbound server access.
Destination Tab:
- Destination Zone: This should be the zone of the firewall's ingress interface where the public IP address resides (e.g., `Untrust`). This is matched on the original (pre-NAT) destination zone.
- Destination Address: Enter the Public IP address that external clients connect to. This is the original (pre-NAT) destination IP.
Service/URL Category Tab:
- Service: Typically set to service-https (TCP/443) or a custom service object if your server uses SSL/TLS on a non-standard port.
- URL Category: Generally left as `any` for inbound inspection, unless you have a specific use case to only decrypt certain URL categories (less common for inbound).
Options Tab (Crucial):
- Action: Select Decrypt .
- Type: Select SSL Inbound Inspection .
- Certificate: Select the Server Certificate (with its private key) that you imported in Step 1 (e.g., `WebServer-Prod-Cert`). This is the most critical part of this tab.
- Decryption Profile: Select the Decryption Profile you created in Step 2 (e.g., `Inbound-Standard-Inspection-Profile`). If you didn't create one, you can leave it as `none` and rely on global settings or basic options, but a profile is recommended for better control.
- Failure Checks (If no profile selected): Options like "Block session if HWSM not ready," "Block session if cert not trusted," etc. These are overridden by the Decryption Profile if one is selected.
Click OK .
Rule Placement: Ensure the rule is placed appropriately in the Decryption Policy list (rules are processed top-down). More specific rules should generally be above more general ones.

     Focus on the "Options" tab of the Decryption Policy: Action=Decrypt, Type=SSL Inbound Inspection, and selecting the correct Server Certificate. Understand that Source/Destination IP/Zone in this policy typically refer to the Pre-NAT context of the incoming traffic.
    

Configuration Step 4: Configure Supporting Security Policy for Inspection

Decryption policy only handles the decryption; Security policy handles whether the traffic (now decrypted) is allowed and what security profiles are applied.

You will typically need two Security Policy rules related to this traffic flow:

1. Security Policy for the Initial Encrypted Connection (Optional, but good for explicit control)

This rule allows the initial SSL/TLS handshake to reach the firewall's decryption engine. It matches the traffic before decryption occurs.

Name: e.g., `Allow-SSL-to-WebServer-PublicIP`
Source Zone: e.g., `Untrust`
Source Address: e.g., `any`
Destination Zone: The zone of the firewall's ingress interface where the Public IP resides (e.g., `Untrust`). This is the Pre-NAT Destination Zone.
Destination Address: The Public IP address clients connect to (Pre-NAT).
Application: `ssl` (or `any` if you are less specific, but `ssl` is better).
Service: `service-https` (or your custom SSL/TLS service port).
Action: `Allow`.
Security Profiles: Generally, you wouldn't apply heavy inspection profiles here as the traffic is still encrypted. Basic vulnerability protection against SSL exploits might be considered. The main inspection happens on the decrypted traffic (next rule).

Some configurations might rely on a default interzone or intrazone allow rule to permit this initial SSL handshake to the firewall for decryption. However, an explicit rule provides better visibility and control. If this initial flow is not allowed by any security policy, decryption will not occur.

2. Security Policy for the Decrypted Traffic (Mandatory for Inspection)

This is the crucial rule where inspection of the clear-text content happens. This rule matches the traffic after the firewall has decrypted it and before it's sent to the internal server.

Name: e.g., `Inspect-Decrypted-To-InternalWebServer`
Source Zone: Original source zone (e.g., `Untrust`).
Source Address: Original source address (e.g., `any`).
Destination Zone: The zone where the actual internal server resides (e.g., `DMZ`, `Trust`). This is the Post-NAT Destination Zone.
Destination Address: The Private IP address of the internal server (Post-NAT).
Application: `any`, or specific applications you expect (e.g., `web-browsing`, `ms-exchange-activesync`). The firewall will identify the true application after decryption. Starting with `any` and then refining based on logs is a common approach.
Service: The service/port the application on the internal server is listening on (e.g., `application-default`, or explicitly `service-http` or `service-https` if the internal server still expects HTTPS even after firewall decryption and re-encryption). Often this is still TCP/443 if the firewall re-encrypts to the server. If the firewall sends clear text HTTP to the server, then this would be `service-http` (TCP/80).
Action: `Allow`.
Security Profiles:
- Anti-Virus: Apply your standard AV profile.
- Anti-Spyware: Apply your standard AS profile.
- Vulnerability Protection: Apply a relevant profile to protect the server.
- URL Filtering: (Optional) Can be used for logging or policy if accessing web resources.
- File Blocking: Apply a profile to control file uploads/downloads.
- WildFire Analysis: Ensure files are sent to WildFire.
- Data Filtering: (Optional) If you need to inspect for sensitive data patterns.

     Understand that decrypted traffic needs its own Security Policy rule. This rule will use the *actual* App-ID (not just 'ssl') and is where you apply your main Threat Prevention and other security profiles. Pay close attention to the Source/Destination Zones and IPs for this rule (Post-NAT destination).
    

Configuration Step 5: Destination NAT (If Necessary) & Policy Matching Clarified

If external clients connect to a public IP address on the firewall that is different from the internal server's private IP, you'll need a Destination NAT (DNAT) policy.

Destination NAT Rule Configuration:

Navigate to Policies > NAT .
Click Add .
General Tab: Name your NAT rule (e.g., `DNAT-to-InternalWebServer`).
Original Packet Tab:
- Source Zone: e.g., `Untrust` (or wherever the external client traffic originates from).
- Destination Zone: The firewall's external (ingress) interface zone (e.g., `Untrust`).
- Destination Interface: Typically `any` or the specific external interface.
- Service: e.g., `service-https`.
- Source Address: e.g., `any`.
- Destination Address: The Public IP address that clients connect to.
Translated Packet Tab:
- Destination Address Translation:
  - Translation Type: `Static IP` (most common for one-to-one server mapping) or `Dynamic IP and Port` (less common for specific server access, more for load distribution).
  - Translated Address: The Private IP address of your internal server.
  - Translated Port: (Optional) If you need to change the port, specify it here. Usually, it's the same as the original.
Click OK . Ensure the NAT rule is active.

Policy Matching Order and Context - The CRITICAL Details:

Understanding how NAT, Decryption, and Security policies match traffic is vital for troubleshooting and correct configuration. Here's the typical processing order for an inbound connection subject to DNAT and SSL Inbound Inspection:

Packet Flow and Policy Matching for SSL Inbound Inspection with DNAT

Let's break down policy matching:

NAT Policy Lookup:
- Matches based on the Original Packet criteria:
  - Source Zone/Address (original client)
  - Destination Zone (firewall's ingress zone, e.g., `Untrust`)
  - Destination Address ( Public IP address )
  - Service (e.g., `service-https`)
- If a match occurs, the firewall determines the Translated Destination IP (Private IP of the server) and potentially a translated port. This translation is applied conceptually for routing *after* security policy, but the firewall knows the final destination IP for policy lookups that occur later in the flow for the *decrypted* traffic.
Decryption Policy Lookup:
- This lookup happens *before* the destination IP address in the packet is changed by NAT for forwarding.
- Matches based on:
  - Source Zone/Address (original client)
  - Destination Zone (firewall's ingress zone, e.g., `Untrust` – where the public IP is "hit")
  - Destination Address ( Public IP address )
  - Service (e.g., `service-https`)
- If a rule with Action: `Decrypt` and Type: `SSL Inbound Inspection` matches, the firewall proceeds to decrypt.
Security Policy Lookup (for the Decrypted Traffic):
- After decryption, the firewall has the clear-text application data. App-ID identifies the true application (e.g., `web-browsing`, not just `ssl`).
- The Security Policy that will inspect this decrypted content matches based on:
  - Source Zone/Address (original client)
  - Destination Zone (the actual zone of the internal server , e.g., `DMZ`, `Trust` – determined by routing to the Post-NAT Private IP)
  - Destination Address (the Private IP address of the server – from the DNAT rule)
  - Application (the identified application, e.g., `web-browsing`)
  - Service (e.g., `application-default` or the specific service port)
- Security Profiles (Threat Prevention, etc.) attached to this rule inspect the clear-text traffic.

     This is a CRITICAL area for the exam.
     
        DNAT Policy:
       
       Matches original Public IP and ingress zone. Determines the translated Private IP.
      
        Decryption Policy (SSL Inbound):
       
       Matches original Public IP and ingress zone.
      
        Security Policy (for decrypted traffic):
       
       Matches original source, but for destination, it uses the
       
        Post-NAT Private IP
       
       and the
       
        Post-NAT Zone
       
       (the server's actual zone). The application will be the identified L7 application, not 'ssl'.
      
     The user's original text had some conflicting information on zone matching. The clarification above and in the diagram reflects the typical behavior. The key is that the firewall evaluates policies at different stages of packet processing.

     
      Zone Mismatches are Common Issues:
     
        Decryption Policy Destination Zone:
       
       Must be the zone of the interface receiving the traffic destined for the Public IP (usually your `Untrust` or external zone).
      
        Security Policy (for decrypted traffic) Destination Zone:
       
       Must be the zone where the internal server (Private IP) resides (e.g., `DMZ`, `Trust`).
      
     Using the wrong zones in these policies will cause traffic to be dropped or not decrypted as expected.

Advanced Topics, Caveats, and Best Practices

Caveats, Gotchas, and Considerations

While powerful, SSL Inbound Inspection comes with important considerations:

Private Key Security Risk: Storing server private keys on the firewall is a significant security consideration. The firewall itself becomes a high-value target.
- If the firewall is compromised, these keys could be stolen, allowing an attacker to impersonate your servers or decrypt captured traffic.
- Strictly control administrative access to the firewall.
- Use strong, unique passwords for firewall accounts.
- Implement multi-factor authentication (MFA) for firewall administrators.
- Secure configuration backups, as they may contain the private keys (unless "Mark Private Key Exportable" was unchecked during import and HSM is not used).
- Consider using a Hardware Security Module (HSM) for private key storage in high-security environments, though this adds complexity and cost.
Certificate Management Overhead:
- You must manage the lifecycle of the imported server certificates and keys on the firewall.
- When a server certificate is renewed, the new certificate (and its private key, if changed) must be promptly imported into the firewall and updated in the Decryption Policy rule. Failure to do so will break inbound decryption.
- Automate certificate renewal reminders.
Unsupported Ciphers/Protocols:
- If the client and server negotiate an SSL/TLS version or cipher suite not supported by the firewall's decryption capabilities, the connection may fail or decryption may be bypassed (configurable in the Decryption Profile: block or no-decrypt).
- Regularly update PAN-OS to get the latest cipher support.
Client Certificate Authentication:
- SSL Inbound Inspection is generally incompatible with web applications that require client certificate authentication (mutual TLS authentication).
- The firewall terminates the initial SSL session from the client. When the firewall initiates a new SSL session to the internal server, it doesn't possess the original client's certificate to present to the server.
- Workarounds are complex and might involve specific proxy configurations or application-level changes, or bypassing decryption for such services. Palo Alto Networks offers some features for passing client certificate information in HTTP headers in specific scenarios (e.g., for SSL Forward Proxy, less straightforward for Inbound), but true mTLS pass-through with inspection is challenging.
Application Sensitivity to MITM:
- Some highly sensitive applications or clients might use techniques like certificate pinning (where the client expects a specific server certificate or public key) which can break if they detect the MITM, even if the correct server certificate is used by the firewall. This is rare for general web traffic but can occur with custom applications.
Correct Certificate Selection in Policy: Ensure the exact server certificate (matching the one on the actual server and the hostname clients use) is selected in the Decryption Policy rule. Using the wrong certificate will cause trust errors for clients.
Troubleshooting Complexity: Diagnosing connection issues can be more complex. Problems can stem from:
- Certificate mismatches (CN/SAN, expiry, chain issues).
- Private key problems (incorrect key, corrupted import).
- Unsupported SSL/TLS parameters.
- Misconfigured NAT rules.
- Incorrect zones or IPs in Decryption or Security policies.
- Decryption Profile settings blocking the session.
Thoroughly check firewall logs (Decryption, Traffic, Threat) and use packet captures.
Server-Side SNI (Server Name Indication) Issues:
- If multiple websites/services are hosted on the same internal server IP and port, relying on SNI for the server to present the correct certificate, ensure the firewall's connection to the backend server also correctly uses or relays SNI if needed. Usually, the firewall determines which certificate to use for the client-facing side based on the destination IP in the decryption policy. The connection to the backend server is a separate SSL handshake.
Traffic from Internal Networks (East-West Decryption): While "inbound" often implies external-to-internal, you can use SSL Inbound Inspection to decrypt traffic between internal network segments (e.g., user zone to server zone) if the firewall sits in the path and has the server's certificate and key. The principles are the same.

Performance Considerations

Decrypting and re-encrypting SSL/TLS traffic is computationally intensive and consumes firewall resources, primarily CPU and memory. This can impact overall firewall throughput and session capacity.

Firewall Sizing: Ensure your Palo Alto Networks firewall model is adequately sized for the expected volume of inbound decrypted traffic, in addition to all other processing it performs. Consult Palo Alto Networks datasheets which often provide "SSL Decryption Throughput" or similar metrics.
Hardware Acceleration: Modern Palo Alto Networks firewalls have dedicated hardware for cryptographic operations, which significantly helps. However, resources are still finite.
Cipher Suite Choice: Some cipher suites are more computationally expensive than others. For example, AES-GCM ciphers are generally more efficient than AES-CBC ciphers. ECDHE is generally more efficient than DHE.
Number of Concurrent Decrypted Sessions: Each decrypted session consumes memory. High numbers of concurrent sessions can strain resources.
Traffic Profile: Throughput-intensive applications (large file transfers) will stress CPU more for decryption than transactional applications with small payloads.
Selective Decryption:
- Don't decrypt everything indiscriminately. Create specific Decryption Policy rules to only decrypt traffic to servers that genuinely require inspection.
- Use "No Decrypt" actions for trusted traffic or traffic to servers where inspection is not critical or feasible, to conserve resources.
Monitoring:
- Regularly monitor firewall CPU, memory, and session utilization ( show system resources , show session info , Dashboard widgets).
- Check decryption-specific statistics ( show counter global filter aspect ssl , show ssl-decrypt statistics ) to understand the decryption load.
- If performance degradation is observed after enabling decryption, review your decryption policies and firewall sizing.

     Performance impact is a key consideration. Understand that decryption uses resources, the importance of proper sizing, and the benefit of selective decryption.
    

Troubleshooting SSL Inbound Inspection

When SSL Inbound Inspection isn't working as expected, systematic troubleshooting is key.

Common Symptoms:

Clients receive certificate errors (e.g., untrusted, hostname mismatch, expired).
Connections to the server fail or timeout.
Traffic is not being decrypted (verified via logs, App-ID still shows 'ssl').
Application doesn't function correctly after passing through the firewall.

Troubleshooting Steps & Tools:

Verify Certificate and Private Key:
- Is the correct server certificate selected in the Decryption Policy rule?
- Does the imported certificate on the firewall have its private key associated (key icon visible in Device > Certificate Management > Certificates )?
- Is the certificate valid (not expired, CN/SAN matches the hostname clients use)?
- If using a PKCS#12 bundle, was the import passphrase correct?
- Is the full certificate chain (server cert -> intermediates -> root) correctly presented to the client? Use browser developer tools or openssl s_client to check the chain sent by the firewall.
Check Decryption Logs:
- Navigate to Monitor > Logs > Decryption .
- Look for sessions matching your target server.
- Common error messages:
  - "SSL/TLS handshake failed"
  - "Unsupported cipher suite" or "Unsupported SSL/TLS version"
  - "Certificate validation error" (for firewall-to-server connection)
  - "Private key mismatch"
  - "Session terminated: Decryption error"
- The "Error / Details" column provides crucial clues.
Check Traffic Logs:
- Navigate to Monitor > Logs > Traffic .
- Filter for traffic to your server's public IP.
- If decryption is working, you should see two sessions for a single client connection:
  1. The initial session with Application `ssl` (allowed by the pre-decryption Security Policy).
  2. A second session (after decryption) with the *actual* Application ID (e.g., `web-browsing`) and the decrypted traffic being allowed/denied by the post-decryption Security Policy. The "Decrypted" column should show "Yes".
- If you only see the `ssl` application and "Decrypted: No", then decryption is not happening for that flow. Check Decryption Policy and prerequisite Security Policy.
- If traffic is being denied, check which Security Policy rule is causing it.
Verify Policy Matching (Decryption, Security, NAT):
- Decryption Policy: Is the source/destination IP/zone/service correct? Is the rule enabled? Is it being hit (check rule counters)?
- Security Policy (for decrypted traffic): Is the source IP/zone correct? Is the destination IP (Private IP) and Zone (server's internal zone) correct? Is the application/service correct? Is it being hit?
- NAT Policy: Is the DNAT rule correctly translating the public IP to the server's private IP?
Check Decryption Profile Settings:
- Are settings for unsupported ciphers/versions, or certificate validation, causing sessions to be blocked or not decrypted?
- Temporarily set "Unsupported Cipher Suites" and "Unsupported Protocol Versions" to "No decrypt" for testing if you suspect a cipher/version issue (but revert to "Block" for security).
Packet Captures (PCAPs):
- Monitor > Packet Capture .
- Capture traffic on different stages:
  - Client-to-Firewall (on external interface).
  - Firewall-to-Server (on internal interface).
- Analyze with Wireshark. Look at SSL/TLS handshakes, alerts, and certificate details.
- You can filter for ssl.handshake.type == 2 (Server Hello) to see the ciphers offered by the firewall (impersonating the server) and by the actual server.
CLI Commands:
- show counter global filter aspect ssl | match err (look for error counters)
- show ssl-decrypt session all (view active decrypted sessions)
- show ssl-decrypt statistics (general decryption stats)
- debug dataplane packet-diag set filter ... and debug dataplane packet-diag show (advanced, for detailed packet processing flow)
- test decryption-policy-match source <ip> destination <ip> ... (to test if traffic matches a decryption rule).
- test nat-policy-match ... (to test NAT policy).
Client-Side Tools:
- Browser developer tools (Network tab, Security tab to inspect certificate).
- openssl s_client -connect <public_IP :443> -servername <hostname> : Excellent for checking the certificate presented by the firewall, the chain, and negotiated cipher.
- curl -v https://<hostname_or_publicIP> : Shows handshake details.

     For the exam, know where to find Decryption logs and Traffic logs. Understand how to interpret Traffic log entries for a successfully decrypted session (seeing App-ID change, Decrypted=Yes). Be familiar with basic CLI commands for checking SSL stats or errors.
    

Advanced Use Case: HIP Integration with SSL Inbound Inspection

Host Information Profile (HIP) is a feature that collects information about the security status of connecting endpoints (e.g., OS patch level, antivirus status, disk encryption). While HIP is most commonly associated with GlobalProtect VPN or internal network access control, it can be integrated with SSL Inbound Inspection in specific scenarios to enhance server protection.

Scenario: Protecting a Sensitive Internal Server

Imagine you have a highly sensitive internal application server (e.g., an HR portal, a financial database front-end) that is accessed via SSL Inbound Inspection. You want to ensure that only compliant devices (whether they are remote GlobalProtect users or internal users whose endpoints are managed) can access this server, even after their traffic is decrypted.

Implementation Concept:

SSL Inbound Inspection Setup: Configure SSL Inbound Inspection for the sensitive server as usual (import server cert/key, decryption policy, etc.).
HIP Object & Profile:
- Create a HIP Object ( Objects > GlobalProtect > HIP Objects ) defining the compliance criteria (e.g., "Antivirus Real-time Protection must be enabled", "OS must be Windows 10 with latest patches").
- Create a HIP Profile ( Objects > GlobalProtect > HIP Profiles ) that includes the HIP Object.
Security Policy for Decrypted Traffic:
- Modify the Security Policy rule that allows the decrypted traffic to the internal sensitive server.
- In this Security Policy rule:
  - Source User: Can be `any` or specific user groups if known.
  - HIP Profiles: Add the HIP Profile you created. This tells the firewall to check the connecting endpoint's HIP report.
- If an endpoint connects, its traffic is decrypted, and then this Security Policy rule is evaluated:
  - If the endpoint has a GlobalProtect agent (or an internal User-ID agent distributing HIP info) and submits a HIP report that matches the HIP Profile, access is allowed.
  - If the HIP report does not match , or if no HIP report is available (e.g., an unmanaged external client), access is blocked by this rule (assuming no other rule allows it).

HIP Check After SSL Inbound Decryption

Considerations for HIP with Inbound Inspection:

Client Endpoint Agent: HIP checks rely on the endpoint having a GlobalProtect agent (for remote or internal users) or potentially User-ID agent with HIP data distribution for purely internal clients. External, unmanaged clients typically won't provide HIP data.
Use Case Specificity: This is a more niche use case. It's most effective when the clients accessing the inbound-inspected server are known and managed (e.g., employees accessing an internal portal that's also reverse-proxied, partners with GP agents).
User Experience: If a user is blocked due to HIP non-compliance, ensure they have a way to understand why and how to remediate their endpoint.

This combination allows you to enforce endpoint compliance even for traffic destined for internally hosted servers that are being protected by SSL Inbound Inspection, adding another layer of defense by ensuring that not only is the traffic clean, but the connecting device is also in a healthy state.

Best Practices Summary for SSL Inbound Inspection

Minimize Private Key Exposure:
- Only import private keys onto the firewall when absolutely necessary for business and security requirements.
- Strictly limit administrative access to the firewall. Use MFA.
- Do NOT enable "Mark Private Key Exportable" during certificate import unless there's an overriding, documented need.
- Consider HSM integration for maximum private key security in sensitive environments.
Use Specific Decryption and Security Rules:
- Target only the specific public IPs/services of internal servers that require inspection. Avoid broad "decrypt all" inbound rules.
- Ensure zones and IP addresses in Decryption and Security policies correctly reflect Pre-NAT and Post-NAT contexts as required.
Keep Certificates Updated:
- Implement a robust process for renewing and updating imported server certificates and keys on the firewall before they expire.
- Synchronize firewall certificate updates with actual server certificate updates.
Apply Strong Security Profiles:
- The primary purpose of decryption is inspection. Ensure comprehensive Threat Prevention (AV, AS, IPS), WildFire, and other relevant Security Profiles (File Blocking, Data Filtering) are applied to the Security Policy rule that governs the decrypted traffic.
Configure Decryption Profiles Wisely:
- Use Decryption Profiles to manage how unsupported protocols/ciphers are handled (recommend blocking insecure/unsupported ones).
- Enable server certificate validation for the firewall's connection to the internal server to prevent MITM attacks against your own backend.
Monitor Performance:
- Keep an eye on firewall CPU, memory, and SSL decryption-specific resource utilization after enabling inbound decryption.
- Size your firewall appropriately for the decryption load.
Regularly Review Logs:
- Monitor Decryption logs for errors or unexpected behavior.
- Monitor Traffic logs to verify decryption is occurring (App-ID changes, "Decrypted: Yes") and that appropriate Security Policies are being hit.
Understand Application Requirements:
- Be aware if the internal application uses client certificate authentication, certificate pinning, or other mechanisms that might conflict with SSL Inbound Inspection.
- Test thoroughly.
Start with Non-Critical Servers: If possible, pilot inbound decryption on less critical internal servers before deploying it for mission-critical applications to understand the impact and refine configurations.
Documentation: Document your SSL Inbound Inspection setup, including which servers are being decrypted, certificate expiry dates, and responsible parties.

PCNSE Exam Focus & Interactive Quiz

PCNSE Exam Key Points for SSL Inbound Inspection

For the Palo Alto Networks Certified Network Security Engineer (PCNSE) exam, mastery of SSL Inbound Inspection concepts is crucial. Expect questions covering:

Purpose and Core Concept: Why use it (visibility into encrypted traffic to internal servers) and how it works (MITM using server's actual cert/key).
Distinction from SSL Forward Proxy: Clearly understand the difference. Inbound protects your servers; Forward Proxy inspects your users' outbound traffic.
Critical Requirement: The firewall needs the server's certificate AND its private key . This is paramount.
Configuration Components:
- Certificate Import (knowing that the private key must be included, and the implications of "Mark Private Key Exportable").
- Decryption Profile (key settings for inbound, e.g., handling unsupported ciphers/versions, server certificate validation).
- Decryption Policy Rule (key fields: Action `Decrypt`, Type `SSL Inbound Inspection`, selecting the Server Certificate).
Policy Matching (Especially with DNAT):
- Decryption Policy: Matches on Pre-NAT Destination IP (Public IP) and Pre-NAT Destination Zone (ingress interface zone).
- Security Policy for decrypted traffic: Matches on Post-NAT Destination IP (Private IP) and Post-NAT Destination Zone (internal server's zone). App-ID will be the actual application, not `ssl`.
Impact on Visibility: How it enables accurate App-ID and allows Threat Prevention profiles to inspect content.
Resource Implications: Understand that decryption is resource-intensive (CPU, memory).
Security Implications: The risk of storing private keys on the firewall.
Limitations:
- Incompatibility with client certificate authentication.
- Potential issues with applications using certificate pinning.
Troubleshooting:
- Knowing where to find Decryption logs and Traffic logs.
- Interpreting log entries to identify issues (e.g., certificate errors, policy mismatches).
- Basic CLI commands for checking status/stats.
Supported Ciphers/PFS: General awareness that modern ciphers and PFS are supported.

     The PCNSE exam will likely present scenarios where you need to identify misconfigurations or choose the correct policy settings for SSL Inbound Inspection to work. Pay very close attention to the IP addresses and Zones used in Decryption vs. Security policies when DNAT is involved.
    

Interactive Quiz: Test Your Knowledge!

1. What is the most critical prerequisite for configuring SSL Inbound Inspection on a Palo Alto Networks firewall?

The public IP address of the internal server. The server's SSL/TLS certificate AND its corresponding private key. A dedicated SSL decryption hardware module. The Root CA certificate that signed the firewall's own certificate.

2. In an SSL Inbound Inspection scenario with Destination NAT, which IP address is typically used as the Destination Address in the Decryption Policy rule?

The private IP address of the internal server (Post-NAT). The IP address of the external client. The public IP address that external clients connect to (Pre-NAT). The IP address of the firewall's internal interface.

3. Which of the following is a primary benefit of SSL Inbound Inspection?

Allowing Threat Prevention profiles to inspect encrypted traffic destined for internal servers. Encrypting traffic from internal users to external websites. Preventing users from accessing malicious websites. Authenticating users before they access internal resources.

4. What action and type must be selected in the "Options" tab of a Decryption Policy rule to enable SSL Inbound Inspection?

Action: No Decrypt, Type: SSL Forward Proxy Action: Decrypt, Type: SSL Forward Proxy Action: No Decrypt, Type: SSL Inbound Inspection Action: Decrypt, Type: SSL Inbound Inspection

5. After SSL Inbound Inspection successfully decrypts traffic, which Application ID will typically be seen in the Traffic logs for a connection to a web server?

ssl web-browsing (or the specific web application) unknown-tcp inbound-inspection-app

6. What is a significant security risk associated with SSL Inbound Inspection?

Increased latency for all network traffic. Incompatibility with all modern web browsers. Storing server private keys on the firewall, making it a high-value target. The firewall sending too much data to WildFire.

7. If an internal web application requires client certificate authentication (mutual TLS), how does SSL Inbound Inspection typically affect it?

It is generally incompatible, as the firewall terminates the client's SSL session. It enhances client certificate authentication by validating certificates more strictly. It seamlessly passes client certificates through to the server. It requires a special "Client Cert Passthrough" license on the firewall.

8. When importing a server certificate and its private key for SSL Inbound Inspection, why is it generally recommended to leave "Mark Private Key Exportable" unchecked?

To allow the key to be automatically updated by the CA. To ensure the key can be used by multiple Decryption Policies. To reduce the CPU load during decryption. To enhance security by preventing the private key from being easily exported from the firewall's configuration.

9. Which firewall log is most useful for initially troubleshooting SSL Inbound Inspection failures related to the decryption process itself (e.g., handshake errors, unsupported ciphers)?

Threat Log Decryption Log URL Filtering Log System Log

10. In a Security Policy rule designed to inspect traffic *after* SSL Inbound Decryption, what should be the Destination Zone and Destination Address?

Pre-NAT Public IP and Pre-NAT Ingress Zone. Pre-NAT Public IP and Post-NAT Internal Server's Zone. Post-NAT Private IP of the server and Post-NAT Internal Server's Zone. Post-NAT Private IP of the server and Pre-NAT Ingress Zone.

11. What is the primary difference in certificate usage between SSL Inbound Inspection and SSL Forward Proxy?

Inbound uses the actual server's cert & key; Forward Proxy uses a firewall-generated cert signed by a Forward Trust CA. Inbound uses a firewall-generated cert; Forward Proxy uses the actual server's cert & key. Both use the actual server's certificate and private key. Both use a firewall-generated certificate signed by a Forward Trust CA.

12. If a Decryption Profile for SSL Inbound Inspection is configured to "Block session" for unsupported cipher suites, what happens when a client tries to connect using only unsupported ciphers?

The session is allowed but not decrypted. The firewall blocks the SSL/TLS handshake, and the client connection fails. The firewall attempts to negotiate a supported cipher, ignoring the profile setting. The session is decrypted using a default fallback cipher.

13. What does Perfect Forward Secrecy (PFS) ensure in the context of SSL/TLS sessions decrypted by the firewall?

That only RSA keys are used for key exchange. That the server's private key is changed for every session. That the firewall does not need the server's private key. That compromising the server's long-term private key does not compromise past session keys.

14. Which of these certificate formats can bundle a server certificate, intermediate CAs, and the private key into a single, often password-protected, file?

DER PEM (as a single certificate file) PKCS#12 (PFX) CRL

15. If you see traffic logged with Application "ssl" and Decrypted "No" for a server you intend to inspect with SSL Inbound Inspection, what is a likely cause?

The Threat Prevention profile is too strict. The traffic is not matching the Decryption Policy rule, or the rule's action is not "Decrypt". The internal server is offline. The client is using HTTP instead of HTTPS.

16. When configuring SSL Inbound Inspection, the Decryption Profile allows you to define behavior for the firewall's connection to the actual internal server. What is a recommended setting for "Block sessions if certificate is untrusted" in this context?

Enabled (checked) - to ensure the firewall validates the internal server's certificate. Disabled (unchecked) - because the firewall already has the server's key. Enabled only if the internal server uses a public CA. Disabled, as this check is only relevant for SSL Forward Proxy.

17. What is the primary function of a Destination NAT (DNAT) rule in the context of SSL Inbound Inspection?

To change the source IP address of the external client. To encrypt the traffic before it reaches the internal server. To select which server certificate the firewall should use for decryption. To translate the public destination IP address (accessed by clients) to the internal server's private IP address.

18. SSL Inbound Inspection significantly impacts which firewall resource the most?

Disk I/O for logging. Network interface bandwidth capacity. CPU and memory for cryptographic operations and session handling. Panorama connectivity.

19. If an administrator wants to ensure that only corporate endpoints meeting specific security criteria (e.g., up-to-date AV) can access a sensitive internal server via SSL Inbound Inspection, which feature could be integrated with the post-decryption Security Policy?

URL Filtering with custom categories. Host Information Profile (HIP) matching. Quality of Service (QoS) profiles. App-ID Override.

20. To verify the certificate chain being presented by the firewall to an external client during SSL Inbound Inspection, which tool would be most effective on the client-side?

Using `openssl s_client` command or browser developer tools. Checking the firewall's System logs. Running `show ssl-decrypt statistics` on the firewall CLI. Pinging the server's public IP address.