PAN-OS: Configuring SSL Inbound Inspection

What is SSL Inbound Inspection?

SSL Inbound Inspection is a feature on Palo Alto Networks firewalls that allows the firewall to decrypt and inspect SSL/TLS traffic destined for internal servers (e.g., internal web servers, application servers) hosted behind the firewall. By decrypting this incoming traffic, the firewall gains visibility into the application and content within the encrypted session.

This visibility is essential for applying effective security measures, including:

Threat Prevention: Detecting and blocking malware, vulnerabilities, spyware, and malicious commands hidden within encrypted traffic targeting internal servers.
Accurate App-ID: Identifying the true application running over SSL/TLS (not just identifying it as 'ssl'), allowing for more granular Security Policy control.
URL Filtering: Applying URL category filtering to requests destined for internal web servers (less common but possible).
File Blocking/Data Filtering: Preventing malicious file uploads or sensitive data exfiltration over encrypted channels to internal servers.
Compliance: Meeting regulatory requirements that mandate inspection of encrypted traffic.

This is distinct from SSL Forward Proxy (Outbound Inspection), where the firewall decrypts traffic initiated by internal clients going to external websites.

SSL Inbound Inspection works by placing the firewall in a Man-in-the-Middle (MITM) position between the external client and the internal server.

Critical Requirement: For the firewall to successfully decrypt the incoming session and impersonate the internal server to the external client, it MUST possess the internal server's actual SSL/TLS certificate AND its corresponding private key .

An external client initiates an SSL/TLS connection to the public IP address associated with the internal server (this might be a NAT address or the firewall interface).
The firewall intercepts this connection attempt (based on a matching Decryption Policy rule).
The firewall uses the imported server certificate and private key to complete the SSL/TLS handshake with the external client, essentially pretending to be the real server.
Simultaneously, the firewall initiates a *separate* SSL/TLS connection to the *actual* internal server (using standard certificate validation).
The firewall now sits in the middle, decrypting traffic from the client, inspecting it, re-encrypting it, and sending it to the server (and vice-versa for the return traffic).

This allows the firewall's security engines (App-ID, Threat Prevention, etc.) to inspect the clear-text application data flowing between the client and the server.

Before configuring SSL Inbound Inspection, ensure these are available:

Server Certificate and Private Key: The exact certificate used by the internal server AND its corresponding private key must be obtained. The private key must be exportable from the server/CA.
Full Certificate Chain (Optional but Recommended): If the server certificate is signed by intermediate CAs, importing the full chain onto the firewall can help ensure proper validation.
Supporting Network Configuration: Interfaces, Zones, Virtual Routers configured. Destination NAT (DNAT) might be needed if clients access a public IP that needs translation to the internal server's private IP.
Security Policy: A Security Policy rule must exist to allow the underlying (pre-decryption) traffic (typically HTTPS on TCP/443) from the source zone to the destination zone where the server resides (or where the NAT occurs).

Import Server Certificate and Private Key:
- GUI Path: Device > Certificate Management > Certificates
- Click Import .
- Certificate Name: Give it a descriptive name (e.g., `WebServer-Prod-Cert`).
- Select the Certificate File (usually PEM or PKCS12 format).
- Check the box `Import Private Key` .
- Select the corresponding Private Key File (if separate) or provide the passphrase if the key is encrypted or part of a PKCS12 bundle.
- Do NOT check `Mark Private Key Exportable` unless absolutely necessary for specific, documented reasons. Leaving it unchecked enhances security.
- Click OK. Verify the certificate shows "Valid" and includes a private key icon.
- Import any necessary Intermediate/Root CA certificates if they are not already trusted by the firewall.
Create a Decryption Profile (Optional but Recommended):
- GUI Path: Objects > Decryption > Decryption Profile
- Click Add .
- Name: e.g., `Inbound-Decrypt-Profile`.
- SSL Decryption Tab > SSL Inbound Inspection Tab: Configure options for handling unsupported modes, certificate checks, session limits, etc. Often, default settings are acceptable for basic inbound inspection, but review options based on security requirements.
- Click OK.
Create a Decryption Policy Rule:
- GUI Path: Policies > Decryption
- Click Add .
- Name: e.g., `Decrypt-Internal-WebServer`.
- Source Tab: Define Source Zone(s) (e.g., `Untrust`) and Source Address(es) (`any` or specific external ranges).
- Destination Tab:
  - Define Destination Zone (where the server resides *logically* before NAT, often the external zone if using DNAT, or the internal zone if using a Layer 3 interface IP).
  - Destination Address: Enter the Public IP address that external clients connect to. This is often a VIP address on the firewall or an address used in a Destination NAT rule.
- Service/URL Category Tab:
  - Service: Typically set to service-https or a custom service object for TCP/443.
  - URL Category: Generally left as `any` for inbound inspection unless specifically needed.
- Options Tab (Crucial):
  - Action: Select `Decrypt` .
  - Type: Select `SSL Inbound Inspection` .
  - Certificate: Select the Server Certificate (with its private key) that you imported in Step 1 (e.g., `WebServer-Prod-Cert`). This is the certificate the firewall will present to external clients.
  - Decryption Profile: Select the Decryption Profile created in Step 2 (e.g., `Inbound-Decrypt-Profile`).
- Click OK.
- Ensure the rule is placed appropriately (top-down processing).
Configure Supporting Security Policy:
- Ensure a Security Policy rule exists ( Policies > Security ) that allows the initial HTTPS connection.
- Example: Source Zone `Untrust`, Dest Zone `DMZ`, Destination Address (Internal Server IP *Before* pre-nat NAT), Application `ssl`, Service `service-https`, Action `Allow`.
- Attach desired Security Profiles (Threat Prevention, File Blocking, etc.) to this Security rule. These profiles will inspect the decrypted content.
Configure Destination NAT (If Necessary):
- If clients connect to a public IP different from the server's internal IP, configure a Destination NAT rule ( Policies > NAT ).
- Match traffic destined for the Public IP on the External Zone.
- Translate the Destination IP to the Internal Server's Private IP address.
- The Decryption Policy rule matches the *original* (public) destination IP, The security policy also uses the pre-nat IP addres
Commit Changes:

Commit the configuration to the firewall.

Enhanced Security: Detects and blocks threats hidden within encrypted traffic destined for internal servers.
True Application Visibility: Allows App-ID to correctly identify applications running over SSL/TLS, enabling granular application-based security policies.
Data Loss Prevention: Enables Data Filtering profiles to inspect decrypted traffic for sensitive patterns leaving protected servers.
Compliance Adherence: Helps meet regulatory requirements mandating inspection of encrypted flows.

Caveats, Gotchas, and Considerations

Private Key Security Risk: Storing server private keys on the firewall is a significant security consideration. The firewall itself becomes a high-value target. Access to the firewall and its configuration backups must be strictly controlled.
Certificate Management Overhead: You must manage the lifecycle of the imported server certificates and keys on the firewall, ensuring they are renewed and updated alongside the actual server.
Performance Impact: Decryption is computationally intensive and consumes firewall CPU and memory resources. Ensure the firewall model is adequately sized for the expected volume of inbound decrypted traffic.
Unsupported Ciphers/Protocols: If the client and server negotiate an SSL/TLS version or cipher suite not supported by the firewall's decryption capabilities, the connection may fail or decryption may be bypassed (configurable in Decryption Profile).
Troubleshooting Complexity: Diagnosing connection issues can be more complex, potentially involving certificate mismatches, private key issues, unsupported parameters, or interaction with NAT.
Client Certificate Authentication: SSL Inbound Inspection is generally incompatible with web applications requiring client certificate authentication, as the firewall terminates the initial SSL session.
Correct Certificate Selection: Ensure the correct server certificate (matching the one on the actual server and the hostname clients use) is selected in the Decryption Policy rule.
Interaction with DNAT: Remember the Decryption policy matches the pre-NAT (public) destination IP, while Security policy often matches the post-NAT (private) destination IP.

Minimize Private Key Exposure: Only import private keys onto the firewall when absolutely necessary for business and security requirements. Strictly limit administrative access.
Use Specific Rules: Create specific Decryption Policy rules targeting only the IPs/services requiring inspection. Avoid broad "decrypt all" inbound rules.
Monitor Performance: Keep an eye on firewall CPU/resource utilization after enabling inbound decryption.
Keep Certificates Updated: Implement a process for renewing and updating imported server certificates and keys on the firewall promptly.
Apply Strong Security Profiles: The whole point is inspection; ensure comprehensive Threat Prevention and other relevant profiles are applied to the Security Policy rules allowing the decrypted traffic.
Start with Non-Critical Servers: If possible, test inbound decryption on less critical internal servers before deploying it for mission-critical applications.
Understand Application Requirements: Be aware if the internal application uses unsupported ciphers or client certificates.

For the PCNSE exam, regarding SSL Inbound Inspection:

Understand its purpose: Decrypting traffic to internal servers for inspection.
Know the critical requirement: The firewall needs the server's certificate AND private key .
Differentiate it clearly from SSL Forward Proxy (Outbound Inspection).
Know the configuration components: Certificate Import (with key), Decryption Profile (optional), Decryption Policy rule.
Identify the key settings in the Decryption Policy rule: Action (`Decrypt`), Type (`SSL Inbound Inspection`), and selecting the correct Server Certificate.
Understand the impact on visibility (App-ID, Threat Prevention).
Be aware of the performance considerations and the security implications of storing private keys on the firewall.
Recognize its incompatibility with client certificate authentication.
Understand the interaction with NAT policies (matching pre-NAT IP).

Clarification: Decryption and Security Policy Matching with DNAT

Regarding traffic subject to Destination NAT (DNAT), specifically for features like SSL Inbound Inspection, it's essential to understand which IP address the different policy engines use for matching:

NAT Policy Lookup: This lookup happens early. It identifies the DNAT rule based on the packet's Original Destination IP (Public IP) . This determines the translated Private IP address that will be used for *internal routing later*, but doesn't immediately change the packet details used for subsequent policy lookups.
Decryption Policy Lookup: To decide whether to apply decryption (like SSL Inbound Inspection), the firewall evaluates the Decryption Policy rules against the packet's details *as it arrived*. Therefore, the match criteria use the Original Destination IP (Public IP) .
Security Policy Lookup: Consistent with the principle of evaluating policy against the logical pre-translation network view, the Security Policy lookup also uses the Original Destination IP (Public IP) for its matching criteria.
Routing Decision (Internal): Only after the Decryption and Security policy decisions have been made does the firewall use the Translated Destination IP (Private IP) determined by the DNAT rule to look up the internal route and forward the packet towards the actual server.

Policy Matching Summary (with DNAT):

Policy Type	Destination IP Used for Matching
NAT Policy (Destination NAT)	Original Destination IP (Public IP)
Decryption Policy	Original Destination IP (Public IP)
Security Policy	Original Destination IP (Public IP)

Conclusion: Both Decryption Policy and Security Policy match on the Original (Pre-NAT) Destination IP address when evaluating incoming traffic, even when a Destination NAT rule applies.

Clarification: Decryption and Security Policy Matching - Destination Zone with DNAT

When considering Destination NAT (DNAT) for inbound traffic (e.g., external clients connecting to an internal server via a public IP), the Destination Zone used for policy matching follows the principle of evaluating the original packet context:

Source Zone: Determined by the physical or logical interface where the packet ingresses the firewall (e.g., `Untrust`).
Destination Zone (for Policy Matching): Determined based on the initial lookup using the Original Destination IP (Public IP) . For traffic arriving from an external source destined to a public IP associated with an external-facing interface, the Destination Zone used for both Decryption Policy and Security Policy matching is typically the zone of that ingress interface itself (e.g., `Untrust`). The firewall logically evaluates the policy as if the connection terminates in that initial zone before NAT redirection is fully applied for internal routing.
Internal Routing & Egress Zone (Post-Policy): After policy checks are complete (and traffic is allowed), the firewall uses the Translated Destination IP (Private IP) provided by the DNAT rule to perform an internal route lookup. This lookup determines the actual egress interface and corresponding Egress Zone (e.g., `DMZ`) through which the packet will leave the firewall towards the internal server. This internal/Post-NAT zone is used for the forwarding decision, not for the initial policy matching.

Zone Matching Summary (with DNAT for Inbound Traffic):

Policy Type	Source Zone Used for Matching	Destination Zone Used for Matching
Decryption Policy	Ingress Interface Zone (e.g., `Untrust`)	Ingress Interface Zone (e.g., `Untrust`)
Security Policy	Ingress Interface Zone (e.g., `Untrust`)	Ingress Interface Zone (e.g., `Untrust`)

Conclusion: For inbound traffic subject to DNAT, both Decryption and Security Policies match based on the Pre-NAT Destination Zone context, which is typically the zone of the interface where the traffic arrives.

PAN-OS: Configuring SSL Inbound Inspection

What is SSL Inbound Inspection?

Core Concept: Man-in-the-Middle (MITM) with Server's Key

Prerequisites

Configuration Steps

Import Server Certificate and Private Key:

Create a Decryption Profile (Optional but Recommended):

Create a Decryption Policy Rule:

Configure Supporting Security Policy:

Configure Destination NAT (If Necessary):

Commit Changes:

Visualization

Impact and Benefits

Caveats, Gotchas, and Considerations

Best Practices

PCNSE Exam Focus

Clarification: Decryption and Security Policy Matching with DNAT

Policy Matching Summary (with DNAT):

Clarification: Decryption and Security Policy Matching - Destination Zone with DNAT

Zone Matching Summary (with DNAT for Inbound Traffic):

SSL Inbound Inspection Quiz

References