ProxySG & Advanced Secure Gateway

Hi All. One of my customers are using ProxySG. Currently they are doing SSL decryption on their Palo Alto firewall. However now they have a requirement to also SSL inspection on ProxySG as well. But the problem is that they cannot disable SSL decryption on their Firewall because of some internal requirements. Is it possible for us to do SSL inspection on both places seamlessly and we won't run into any issues? If yes then please clarify the below items.

1) What steps are required on ProxySG side to achieve this? Please share the required configuration that needs to be done.

2) Would there be a very high traffic latency becuase of this?

Your feedback is highly appreciated.

Thanks

------------------------------
Symantec Enthusiast
------------------------------

Hello Sym, 

You have already asked this very same question 2 weeks ago and the answer has been provided, was there something wrong with the answer given?

Answer here : https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?GroupId=2857&MessageKey=ddc9e25c-1425-4246-a7fe-0a1264427c59&CommunityKey=3ccfc309-780b-4c9e-9224-f2a425f538f5&tab=digestviewer&ReturnUrl=%2fsymantecenterprise%2fcommunities%2fcommunity-home%2fdigestviewer%3fcommunitykey%3d3ccfc309-780b-4c9e-9224-f2a425f538f5%26tab%3ddigestviewer

Slava
Original Message:
Sent: 09-01-2020 03:53 PM
From: sulman mushaq
Subject: Double SSL Decryption

Hi All. One of my customers are using ProxySG. Currently they are doing SSL decryption on their Palo Alto firewall. However now they have a requirement to also SSL inspection on ProxySG as well. But the problem is that they cannot disable SSL decryption on their Firewall because of some internal requirements. Is it possible for us to do SSL inspection on both places seamlessly and we won't run into any issues? If yes then please clarify the below items.

1) What steps are required on ProxySG side to achieve this? Please share the required configuration that needs to be done.

2) Would there be a very high traffic latency becuase of this?

Your feedback is highly appreciated.

Thanks

------------------------------
Symantec Enthusiast
------------------------------

Hi Slava, Thanks for your reply. Actually I was looking for the required steps of importing the certificate. Do I just ask the firewall team to provide me the certificate they are using for decryption and then simply import it on proxy to the Proxy  CA and Browser Trusted and then enable SSL interception or in addition to this there is also any other configuration as well that needs to be done on Proxy?

------------------------------
Symantec Enthusiast
------------------------------

Original Message:
Sent: 09-01-2020 04:10 PM
From: Slava Vasilasco
Subject: Double SSL Decryption

Hello Sym, 

You have already asked this very same question 2 weeks ago and the answer has been provided, was there something wrong with the answer given?

Answer here : https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?GroupId=2857&MessageKey=ddc9e25c-1425-4246-a7fe-0a1264427c59&CommunityKey=3ccfc309-780b-4c9e-9224-f2a425f538f5&tab=digestviewer&ReturnUrl=%2fsymantecenterprise%2fcommunities%2fcommunity-home%2fdigestviewer%3fcommunitykey%3d3ccfc309-780b-4c9e-9224-f2a425f538f5%26tab%3ddigestviewer

Slava
Original Message:
Sent: 09-01-2020 03:53 PM
From: sulman mushaq
Subject: Double SSL Decryption

Hi All. One of my customers are using ProxySG. Currently they are doing SSL decryption on their Palo Alto firewall. However now they have a requirement to also SSL inspection on ProxySG as well. But the problem is that they cannot disable SSL decryption on their Firewall because of some internal requirements. Is it possible for us to do SSL inspection on both places seamlessly and we won't run into any issues? If yes then please clarify the below items.

1) What steps are required on ProxySG side to achieve this? Please share the required configuration that needs to be done.

2) Would there be a very high traffic latency becuase of this?

Your feedback is highly appreciated.

Thanks

------------------------------
Symantec Enthusiast
------------------------------

Hi Slava, do I just need to follow the steps mentioned in the below KB to import PAN certificate in pem format into Proxy and that's it?

https://knowledge.broadcom.com/external/article/166596/importing-a-ca-certificate-into-the-prox.html

Thanks in advance.

------------------------------
Symantec Enthusiast
------------------------------

Original Message:
Sent: 09-01-2020 04:10 PM
From: Slava Vasilasco
Subject: Double SSL Decryption

Hello Sym, 

You have already asked this very same question 2 weeks ago and the answer has been provided, was there something wrong with the answer given?

Answer here : https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?GroupId=2857&MessageKey=ddc9e25c-1425-4246-a7fe-0a1264427c59&CommunityKey=3ccfc309-780b-4c9e-9224-f2a425f538f5&tab=digestviewer&ReturnUrl=%2fsymantecenterprise%2fcommunities%2fcommunity-home%2fdigestviewer%3fcommunitykey%3d3ccfc309-780b-4c9e-9224-f2a425f538f5%26tab%3ddigestviewer

Slava
Original Message:
Sent: 09-01-2020 03:53 PM
From: sulman mushaq
Subject: Double SSL Decryption

Hi All. One of my customers are using ProxySG. Currently they are doing SSL decryption on their Palo Alto firewall. However now they have a requirement to also SSL inspection on ProxySG as well. But the problem is that they cannot disable SSL decryption on their Firewall because of some internal requirements. Is it possible for us to do SSL inspection on both places seamlessly and we won't run into any issues? If yes then please clarify the below items.

1) What steps are required on ProxySG side to achieve this? Please share the required configuration that needs to be done.

2) Would there be a very high traffic latency becuase of this?

Your feedback is highly appreciated.

Thanks

------------------------------
Symantec Enthusiast
------------------------------

Dear SymSpec,

Please find below the KB article from B'com on how to configure ProxySG to perform SSL Interception.

https://knowledge.broadcom.com/external/article/168284/configure-ssl-interception-with-microsof.html

Hope this helps!

Thank you.

Best Regards,
Priyesh MP
Solution Architect | Symantec Knight of the Year, Asia Pacific 2018
Symantec Certified Specialist (in Blue Coat ProxySG)
Softcell Technologies Global Pvt. Ltd.
Original Message:
Sent: 09-01-2020 04:40 PM
From: sulman mushaq
Subject: Double SSL Decryption

Hi Slava, do I just need to follow the steps mentioned in the below KB to import PAN certificate in pem format into Proxy and that's it?

https://knowledge.broadcom.com/external/article/166596/importing-a-ca-certificate-into-the-prox.html

Thanks in advance.

------------------------------
Symantec Enthusiast

Original Message:
Sent: 09-01-2020 04:10 PM
From: Slava Vasilasco
Subject: Double SSL Decryption

Hello Sym, 

You have already asked this very same question 2 weeks ago and the answer has been provided, was there something wrong with the answer given?

Answer here : https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?GroupId=2857&MessageKey=ddc9e25c-1425-4246-a7fe-0a1264427c59&CommunityKey=3ccfc309-780b-4c9e-9224-f2a425f538f5&tab=digestviewer&ReturnUrl=%2fsymantecenterprise%2fcommunities%2fcommunity-home%2fdigestviewer%3fcommunitykey%3d3ccfc309-780b-4c9e-9224-f2a425f538f5%26tab%3ddigestviewer

Slava
Original Message:
Sent: 09-01-2020 03:53 PM
From: sulman mushaq
Subject: Double SSL Decryption

Hi All. One of my customers are using ProxySG. Currently they are doing SSL decryption on their Palo Alto firewall. However now they have a requirement to also SSL inspection on ProxySG as well. But the problem is that they cannot disable SSL decryption on their Firewall because of some internal requirements. Is it possible for us to do SSL inspection on both places seamlessly and we won't run into any issues? If yes then please clarify the below items.

1) What steps are required on ProxySG side to achieve this? Please share the required configuration that needs to be done.

2) Would there be a very high traffic latency becuase of this?

Your feedback is highly appreciated.

Thanks

------------------------------
Symantec Enthusiast
------------------------------

Hello Sym, 

1. Do I just ask the firewall team to provide me the certificate they are using for decryption and then simply import it on proxy to the Proxy  CA and Browser Trusted and then enable SSL interception? 

Answer: Yes.

2. do I just need to follow the steps mentioned in the below KB to import PAN certificate in pem format into Proxy and that's it?
https://knowledge.broadcom.com/external/article/166596/importing-a-ca-certificate-into-the-prox.html

Answer: Yes

3. To enable SSL Interception on the Proxy please follow the KB that Priyesh has shared: https://knowledge.broadcom.com/external/article/168284/configure-ssl-interception-with-microsof.html 

I hope this helps.
Slava
Original Message:
Sent: 09-01-2020 04:40 PM
From: sulman mushaq
Subject: Double SSL Decryption

Hi Slava, do I just need to follow the steps mentioned in the below KB to import PAN certificate in pem format into Proxy and that's it?

https://knowledge.broadcom.com/external/article/166596/importing-a-ca-certificate-into-the-prox.html

Thanks in advance.

------------------------------
Symantec Enthusiast

Original Message:
Sent: 09-01-2020 04:10 PM
From: Slava Vasilasco
Subject: Double SSL Decryption

Hello Sym, 

You have already asked this very same question 2 weeks ago and the answer has been provided, was there something wrong with the answer given?

Answer here : https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?GroupId=2857&MessageKey=ddc9e25c-1425-4246-a7fe-0a1264427c59&CommunityKey=3ccfc309-780b-4c9e-9224-f2a425f538f5&tab=digestviewer&ReturnUrl=%2fsymantecenterprise%2fcommunities%2fcommunity-home%2fdigestviewer%3fcommunitykey%3d3ccfc309-780b-4c9e-9224-f2a425f538f5%26tab%3ddigestviewer

Slava
Original Message:
Sent: 09-01-2020 03:53 PM
From: sulman mushaq
Subject: Double SSL Decryption

Hi All. One of my customers are using ProxySG. Currently they are doing SSL decryption on their Palo Alto firewall. However now they have a requirement to also SSL inspection on ProxySG as well. But the problem is that they cannot disable SSL decryption on their Firewall because of some internal requirements. Is it possible for us to do SSL inspection on both places seamlessly and we won't run into any issues? If yes then please clarify the below items.

1) What steps are required on ProxySG side to achieve this? Please share the required configuration that needs to be done.

2) Would there be a very high traffic latency becuase of this?

Your feedback is highly appreciated.

Thanks

------------------------------
Symantec Enthusiast
------------------------------

Hi Slava. Thanks for your reply. In Point (3) we have to create a CSR request on ProxySG and then get it signed from the CA and then import it back. However In my case there is no CSR being created on proxy instead we have to import the cert from PAN. Are these steps still applicable in this scenerio?

Thanks in advance.

------------------------------
Symantec Enthusiast
------------------------------

Original Message:
Sent: 09-01-2020 05:19 PM
From: Slava Vasilasco
Subject: Double SSL Decryption

Hello Sym, 

1. Do I just ask the firewall team to provide me the certificate they are using for decryption and then simply import it on proxy to the Proxy  CA and Browser Trusted and then enable SSL interception? 

Answer: Yes.

2. do I just need to follow the steps mentioned in the below KB to import PAN certificate in pem format into Proxy and that's it?
https://knowledge.broadcom.com/external/article/166596/importing-a-ca-certificate-into-the-prox.html

Answer: Yes

3. To enable SSL Interception on the Proxy please follow the KB that Priyesh has shared: https://knowledge.broadcom.com/external/article/168284/configure-ssl-interception-with-microsof.html 

I hope this helps.
Slava
Original Message:
Sent: 09-01-2020 04:40 PM
From: sulman mushaq
Subject: Double SSL Decryption

Hi Slava, do I just need to follow the steps mentioned in the below KB to import PAN certificate in pem format into Proxy and that's it?

https://knowledge.broadcom.com/external/article/166596/importing-a-ca-certificate-into-the-prox.html

Thanks in advance.

------------------------------
Symantec Enthusiast

Original Message:
Sent: 09-01-2020 04:10 PM
From: Slava Vasilasco
Subject: Double SSL Decryption

Hello Sym, 

You have already asked this very same question 2 weeks ago and the answer has been provided, was there something wrong with the answer given?

Answer here : https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?GroupId=2857&MessageKey=ddc9e25c-1425-4246-a7fe-0a1264427c59&CommunityKey=3ccfc309-780b-4c9e-9224-f2a425f538f5&tab=digestviewer&ReturnUrl=%2fsymantecenterprise%2fcommunities%2fcommunity-home%2fdigestviewer%3fcommunitykey%3d3ccfc309-780b-4c9e-9224-f2a425f538f5%26tab%3ddigestviewer

Slava
Original Message:
Sent: 09-01-2020 03:53 PM
From: sulman mushaq
Subject: Double SSL Decryption

Hi All. One of my customers are using ProxySG. Currently they are doing SSL decryption on their Palo Alto firewall. However now they have a requirement to also SSL inspection on ProxySG as well. But the problem is that they cannot disable SSL decryption on their Firewall because of some internal requirements. Is it possible for us to do SSL inspection on both places seamlessly and we won't run into any issues? If yes then please clarify the below items.

1) What steps are required on ProxySG side to achieve this? Please share the required configuration that needs to be done.

2) Would there be a very high traffic latency becuase of this?

Your feedback is highly appreciated.

Thanks

------------------------------
Symantec Enthusiast
------------------------------

Hi Sym, 

1. Let us backup a bit as it seems that there is a confusion on why you need to import the PAN Cert in to the proxy.
You need to import the Certificate that PAN is using for decryption in to the Proxy CA and Browser trusted because otherwise proxy will fail the sessions between proxy and PAN due to the fact that PANs cert is not trusted by the proxy, so you make it trusted. And this has nothing to do with you meaning to enable SSL Interception on the Proxy, this is done so things work when there is an upstream device from the proxy performing decryption.

 2. Now for the part where you want to enable the SSL Interception on the proxy you have been provide this KB https://knowledge.broadcom.com/external/article/168284/configure-ssl-interception-with-microsof.html   on how to enable SSL Interception on the proxy using a Subordinate Certificate signed by a Microsoft PKI, however you can instead use a Self Signed CA, or CA Signed by openssl or you can even use the same CA Cert that PAN us using for decryption. What certificate you use for decryption traffic on the proxy is up to you.  The most important thing is that that Certificate has to be a Subordinate Certificate.
But if you chose to use for decryption on the proxy the exact certificate you are using on the PAN, then you will need to import the PANs certificate and the Private key(of that certificate) in to the Keyrings of the proxy as well(in addition to importing this cert in to the Proxy CA and Browser Trusted).
How to import a Certificate for Decryption (see the steps for Proxy B) https://knowledge.broadcom.com/external/article/166133/how-do-i-import-an-ssl-certificate-and-p.html

I hope this clears out any confusion.
Slava V
Original Message:
Sent: 09-03-2020 12:00 PM
From: sulman mushaq
Subject: Double SSL Decryption

Hi Slava. Thanks for your reply. In Point (3) we have to create a CSR request on ProxySG and then get it signed from the CA and then import it back. However In my case there is no CSR being created on proxy instead we have to import the cert from PAN. Are these steps still applicable in this scenerio?

Thanks in advance.

------------------------------
Symantec Enthusiast

Original Message:
Sent: 09-01-2020 05:19 PM
From: Slava Vasilasco
Subject: Double SSL Decryption

Hello Sym, 

1. Do I just ask the firewall team to provide me the certificate they are using for decryption and then simply import it on proxy to the Proxy  CA and Browser Trusted and then enable SSL interception? 

Answer: Yes.

2. do I just need to follow the steps mentioned in the below KB to import PAN certificate in pem format into Proxy and that's it?
https://knowledge.broadcom.com/external/article/166596/importing-a-ca-certificate-into-the-prox.html

Answer: Yes

3. To enable SSL Interception on the Proxy please follow the KB that Priyesh has shared: https://knowledge.broadcom.com/external/article/168284/configure-ssl-interception-with-microsof.html 

I hope this helps.
Slava
Original Message:
Sent: 09-01-2020 04:40 PM
From: sulman mushaq
Subject: Double SSL Decryption

Hi Slava, do I just need to follow the steps mentioned in the below KB to import PAN certificate in pem format into Proxy and that's it?

https://knowledge.broadcom.com/external/article/166596/importing-a-ca-certificate-into-the-prox.html

Thanks in advance.

------------------------------
Symantec Enthusiast

Original Message:
Sent: 09-01-2020 04:10 PM
From: Slava Vasilasco
Subject: Double SSL Decryption

Hello Sym, 

You have already asked this very same question 2 weeks ago and the answer has been provided, was there something wrong with the answer given?

Answer here : https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?GroupId=2857&MessageKey=ddc9e25c-1425-4246-a7fe-0a1264427c59&CommunityKey=3ccfc309-780b-4c9e-9224-f2a425f538f5&tab=digestviewer&ReturnUrl=%2fsymantecenterprise%2fcommunities%2fcommunity-home%2fdigestviewer%3fcommunitykey%3d3ccfc309-780b-4c9e-9224-f2a425f538f5%26tab%3ddigestviewer

Slava
Original Message:
Sent: 09-01-2020 03:53 PM
From: sulman mushaq
Subject: Double SSL Decryption

Hi All. One of my customers are using ProxySG. Currently they are doing SSL decryption on their Palo Alto firewall. However now they have a requirement to also SSL inspection on ProxySG as well. But the problem is that they cannot disable SSL decryption on their Firewall because of some internal requirements. Is it possible for us to do SSL inspection on both places seamlessly and we won't run into any issues? If yes then please clarify the below items.

1) What steps are required on ProxySG side to achieve this? Please share the required configuration that needs to be done.

2) Would there be a very high traffic latency becuase of this?

Your feedback is highly appreciated.

Thanks

------------------------------
Symantec Enthusiast
------------------------------

Original Message:
Sent: 9/3/2020 12:00:00 PM
From: SymSpec
Subject: RE: Double SSL Decryption

Hi Slava. Thanks for your reply. In Point (3) we have to create a CSR request on ProxySG and then get it signed from the CA and then import it back. However In my case there is no CSR being created on proxy instead we have to import the cert from PAN. Are these steps still applicable in this scenerio?

Thanks in advance.

------------------------------
Symantec Enthusiast
------------------------------

Original Message:
Sent: 09-01-2020 05:19 PM
From: Slava Vasilasco
Subject: Double SSL Decryption

Hello Sym, 

1. Do I just ask the firewall team to provide me the certificate they are using for decryption and then simply import it on proxy to the Proxy  CA and Browser Trusted and then enable SSL interception? 

Answer: Yes.

2. do I just need to follow the steps mentioned in the below KB to import PAN certificate in pem format into Proxy and that's it?
https://knowledge.broadcom.com/external/article/166596/importing-a-ca-certificate-into-the-prox.html

Answer: Yes

3. To enable SSL Interception on the Proxy please follow the KB that Priyesh has shared: https://knowledge.broadcom.com/external/article/168284/configure-ssl-interception-with-microsof.html 

I hope this helps.
Slava
Original Message:
Sent: 09-01-2020 04:40 PM
From: sulman mushaq
Subject: Double SSL Decryption

Hi Slava, do I just need to follow the steps mentioned in the below KB to import PAN certificate in pem format into Proxy and that's it?

https://knowledge.broadcom.com/external/article/166596/importing-a-ca-certificate-into-the-prox.html

Thanks in advance.

------------------------------
Symantec Enthusiast

Original Message:
Sent: 09-01-2020 04:10 PM
From: Slava Vasilasco
Subject: Double SSL Decryption

Hello Sym, 

You have already asked this very same question 2 weeks ago and the answer has been provided, was there something wrong with the answer given?

Answer here : https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?GroupId=2857&MessageKey=ddc9e25c-1425-4246-a7fe-0a1264427c59&CommunityKey=3ccfc309-780b-4c9e-9224-f2a425f538f5&tab=digestviewer&ReturnUrl=%2fsymantecenterprise%2fcommunities%2fcommunity-home%2fdigestviewer%3fcommunitykey%3d3ccfc309-780b-4c9e-9224-f2a425f538f5%26tab%3ddigestviewer

Slava
Original Message:
Sent: 09-01-2020 03:53 PM
From: sulman mushaq
Subject: Double SSL Decryption

Hi All. One of my customers are using ProxySG. Currently they are doing SSL decryption on their Palo Alto firewall. However now they have a requirement to also SSL inspection on ProxySG as well. But the problem is that they cannot disable SSL decryption on their Firewall because of some internal requirements. Is it possible for us to do SSL inspection on both places seamlessly and we won't run into any issues? If yes then please clarify the below items.

1) What steps are required on ProxySG side to achieve this? Please share the required configuration that needs to be done.

2) Would there be a very high traffic latency becuase of this?

Your feedback is highly appreciated.

Thanks

------------------------------
Symantec Enthusiast
------------------------------