SSL Inbound Inspection Configuration on Palo Alto Networks Firewall

From Notes_Wiki

Home > Enterprise security devices or applications > Paloalto firewall > SSL Inbound Inspection Configuration on Palo Alto Networks Firewall

Introduction

SSL Inbound Inspection is a feature on Palo Alto Networks firewalls that enables decryption and inspection of encrypted traffic destined for internal servers. This is crucial for detecting threats hidden in SSL/TLS traffic that would otherwise bypass inspection.

This article outlines a step-by-step process to configure SSL Inbound Inspection when hosting services behind NAT and using public IPs.

Step 1: Verify the Server Certificate Chain

Before implementing SSL Inbound Inspection, ensure that the firewall can present the exact certificate chain as the actual server. Mismatches can cause client connections or services to fail. Action:

  1. Visit www. ssllabs.com/ssltest.
  2. Enter the public domain of the service/server.
  3. Analyze the certificate chain and make note of:
    1. Server certificate
    2. Intermediate certificate(s)
    3. Root certificate

First we will check what is/are the certificates provided by the server/site by checking the URL on www. ssllabs.com/ssltest.


Checking the certificate chain / certificates provided by the site (server) is very important as when SSL Inbound Inspection configuration is completed. The firewall will start presenting the certificate in place of server. So, after SSL Inbound Inspection the same certificate chain / certificates should be provided by the firewall otherwise some services may stop working.

We have to get the server certificate combined with intermediate certificate. In server’s certificate directory we could find fullchain.pem which contains both server certificate and intermediate certificate in one file.

Note: If the certificate chain is not replicated correctly by the firewall, SSL clients may reject the connection.

Step 2: Collect and Prepare Certificates

The server’s certificate and private key are required.

Files Needed:

  1. fullchain.pem: Contains the server + intermediate certificate(s).
  2. privkey.pem: Contains the private key of the server.

We have to get the server certificate combined with intermediate certificate. In server’s certificate directory we could find fullchain.pem which contains both server certificate and intermediate certificate in one file.


Enter the passphrase you used in OpenSSL. using OpenSSL application to encrypt Private keys of the servers. As we will not be able to upload the Private key without passphrase.


Command used below: 

- openssl pkey -aes256 -in “provide the location of the private key which should be encrypted” -out “provide the location for the encrypted private key with the name of the private key’s name”

For example: 

The name of the private key which I want to encrypt is privkey6.pem and location of the private key is c:\Users\Owner\Desktop\SSL Inbound Inspection\2025-05-22-gitlab. I want the encrypted private key should also be placed in the same folder but, with Gitlab_privkey_with_passphrase.pem name.


Command: 

 -openssl pkey -aes256 -in “c:\Users\Owner\Desktop\SSL Inbound Inspection\2025-05-22-gitlab\privkey6.pem” -out “c:\Users\Owner\Desktop\SSL Inbound Inspection\2025-05-22-gitlab\Gitlab_privkey_with_passphrase.pem”

Step 3: Import the Server Certificate into the Firewall

Navigation:

Device > Certificate Management > Certificates > Import Steps:

  1. Click Import.
  2. Provide a friendly name for the certificate (e.g., GBB-Root-Cert).
  3. Upload: Certificate File: fullchain.pem
  4. Key File: Encrypted private key (e.g., Gitlab_privkey_with_passphrase.pem)

Step 4: Create Decryption Profile

Navigation: Objects > Decryption Profile > Add

Steps:

  1. Name the profile (e.g., Inbound-Decryption-Profile).
  2. In the SSL Inbound Inspection tab:
  3. Leave options disabled to prevent service disruption (you can modify later).
  4. Go to ‘SSL Inbound Inspection tab -> Under ‘SSL Inbound Inspection’ tab we are not enabling any options as it may cause some service to stop working as expected. But we can modify the Decryption Profile as per our requirement at any time.
  5. Go to ‘SSL Protocol Settings’ tab. In this tab we can configure the protocols through which the site should be accessible from the user’s machine connected to outside network.
  6. In the SSL Protocol Settings tab:
    1. Set Min Version: TLSv1.2
    2. Set Max Version: Max
  7. Leave algorithm settings as default (to prevent false positives or dropped sessions).


Additionally, we can also modify Key Exchange Algorithms, Encryption Algorithms and Authentication Algorithms and block certificate exchange over weak Algorithms.

Note: - If we allow the exchange over only strong algorithms then sometimes legitimate traffics can also be dropped. Which can arise an issue.

Here, we can leave the algorithm settings as default to avoid any kind of disruption.


Click OK to save the profile.

Step 5: Create Decryption Policy

Navigation: Policies > Decryption > Add

Steps:

  1. Name the policy (e.g., Inbound-Decrypt-Gitlab).
  1. Source Tab: Source Zone: WAN
  2. Destination Tab:
    1. Destination Zone: DMZ (or applicable internal zone)
    2. Destination Address: Public IP(s) used for NAT
  3. Options Tab:
    1. Action: Decrypt
    2. Type: SSL Inbound Inspection
    3. Decryption Profile: Select the profile created earlier
  4. Certificate: Select the certificate corresponding to the destination IP
  5. Click OK to save the policy.


Step 6: Commit the Configuration

After creating profiles and policies, click Commit in the upper-right corner of the WebUI to apply the changes.

Additional Notes

  1. Monitor logs to verify if traffic is being decrypted successfully.
  2. Ensure certificate renewal is done timely, and updated certificates are imported.
  3. If any services fail post-deployment, adjust decryption profiles to loosen restrictions.

Conclusion

SSL Inbound Inspection provides critical visibility into encrypted traffic, helping detect and mitigate advanced threats. By properly preparing and configuring server certificates, decryption profiles, and policies, you ensure secure yet seamless access to your internal services hosted behind Palo Alto firewalls.

Home > Enterprise security devices or applications > Paloalto firewall > SSL Inbound Inspection Configuration on Palo Alto Networks Firewall

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=SSL_Inbound_Inspection_Configuration_on_Palo_Alto_Networks_Firewall&oldid=9349"