1.Mục đnch bai viết
In this article, techbast explains how to configure the decryption feature on a Palo Alto Firewall appliance.
2. Diagram
Details:
- The Palo Alto firewall connects to the Internet through the Ethernet1/1 port with a static IP address of 172.16.16.157.
- The Palo Alto device connects to the local network through an Ethernet1/2 port with a static IP of 10.0.0.1/24.
- On Ethernet port 1/2, DHCP is configured to be distributed to devices.
- PC 1 is connected to the Ethernet1/2 port and gets the IP address 10.0.0.2.
- The Palo Alto firewall appliance is configured with a policy, nat, to allow PC 1 to access the Internet.
3. Scenario
We will configure decryption so that the Palo Alto device can decrypt all traffic that PC 1 uses to access the Internet.
4. Các bước thực hiện
- Creating a certificate
- Setting up a transcription guide
- Add a certificate on PC 1
- Results.
5. Configuration
5.1 Creating a certificate
To configure decryption, go to Device > Certificate Manager > Certificates.
Click Generate to create a new certificate with the following information:
- Certificate name: trusted-ca
- Common name: 10.0.0.1 (IP address of the local network)
- Certification body : Check the certificate authority.
Click on the Create button.
Click New to create a new and different certificate with the following information:
- Common name: unreliable-ca
- Common name: unreliable
- Certification body : Check the certificate authority.
Click on the Create button.
Click the trusted certificate authority name to change it as follows:
- Check the box for the Forward Trust certificate.
Press OK.
Similar to clicking on an untrusted name ca to change the following:
- Check Forward’s unreliability certificate.
Press OK.
Then check the trusted-ca certificate box and click Export Certificate to download the certificate to your computer.
5.2. Create a decryption policy
Next we are going to create a decryption policy, go to Policy>Decryption>Click on Add and configure it with the following settings:
- Service category/URL : Every person
- Options : Under Action, select Decryption and under Type, select SSL Transfer Proxy.
5.3. Add a certificate to PC 1
Type mmc in the Windows search box and press Enter to open the Microsoft Management Console.
Select Console Root > Click File > Click Add/Delete Snap-In…
The Add or Remove Snap-in panel appears, check the Certificate box and click Add.
The Certificates snap-in window appears, select Computer Account > Next > Local Computer > Finish > OK.
Go to Certificates (local computer)>Right-click Trusted Root Certification Authorities>Certificates> select All Tasks <Import.
The Certificate Import Wizard window appears. Click Next> In the File Name line, click Browse and navigate to the location where you saved the certificate when you exported it.
Click Next>Finish to complete the import.
5.4. Result
We go to PC 1 and access the Internet.
We then go back to the Palo Alto device log to see if the traffic has been decrypted.
To view the log, go to Monitor>Traffic.
We look at the Decrypted column and see that the traffic was decrypted on https port 443.
YOU MAY ALSO BE INTERESTED IN
Related Tags:
Feedback,decrypt web.config appsettingsencrypt web config programmaticallydecrypt cfg file onlinedecrypt config file onlineconfig file decryption tooldecrypt rsa web config,People also search for,Privacy settings,How Search works,decrypt web.config appsettings,encrypt web config programmatically,decrypt cfg file online,decrypt config file online,config file decryption tool,decrypt rsa web config,aspnet_regiis. location,encrypt web.config appsettings
