Configuring Palo Alto for SSLI and VPN

SSL is vital to the health of the Internet at large, but when trying to keep your network and devices safe, you need extra steps to stay safe. Malicious actors can use SSL to smuggle malware through firewalls and antivirus software, a technique which is sometimes referred to as exploiting “the blind spot”.

Setting up SSL Inspection (also known as SSLI or SSL Decryption) allows you to keep the benefits of SSL while browsing the web, but gives the network operator (you) a peek into their traffic. That confers a few key benefits:

  • Your organization’s firewall can function effectively
  • Ensures compliance with privacy and security standards
  • Allows administrators total access to network usage information

When you invest in a PKI, it improves security across the network. SecureW2’s PKI Services allow SSL Inspection certificates to be installed, while a client certificate can simultaneously be enrolled and configured for VPN or Web-Application Authentication. This guide will show you how to generate and push your SSLI Root CA, while enrolling end users for a client certificate.

Tech Overview

  1. Configure SecureW2 for SSLI on Palo Alto
    • Generate a .p12 file   to upload later to the Firewall for SSLI. Be sure to save it somewhere safe since you only get one.
    • Set up the onboarding device profile that will be pushed to all devices so they can easily self-enroll themselves for VPN certificates.
    • Create and download the Root CAs for the devices and Intermediate CAs to later upload to Palo Alto for VPN authentication.
  2. Configure Palo Alto for SSL Inspection
    • Import the intermediate CA for SSL Decryption to Palo Alto.
    • Set up necessary policies.
  3. Configure Palo Alto to allow SSL Decryption while using a VPN.
    • Import the VPN Intermediate and Root CAs to Palo Alto.
  4. Setup SecureW2 Cloud RADIUS for Authentication

 

Configure SecureW2 for SSL Decryption on Palo Alto

Navigate to Device Onboarding on the left hand side of your screen and underneath that section, select Getting Started.

Here you will see our Getting Started Wizard, which will configure everything you need to start your deployment of  SSL Inspection. Configure the settings for the wizard as shown in the screenshot below.


After clicking create, two things will happen.

  1. A .p12 file will be generated
    • Before it is generated, you will be prompted to create a password, which will be used to password lock the .p12 file
    • This .p12 file is what will be uploaded to your SSL Inspection configuration
    • This .p12 file is only generated once. Make sure it’s saved in a safe place. 
  2. A landing page will be generated
    • This landing page can be used to install SSL Inspection certificates on end user devices
    • This landing page automatically detect the operating system of the device, and deploy the appropriate client to install the certificate
    • However, we won’t use the landing page generated with this network profile. We will only use it to create the Root CA we need for SSL Inspection, and import that CA to the Network Profile we will create in the next step.

Now we need to get the Root CA that has been generated from this Network Profile, and download it so we can have it installed at the same time our VPN Certificate is configured on the device.

  1. Navigate to the PKI section and select Certificate Authorities
  2. Locate the Root CA that is associated with the Network Profile you just created.
    • It should be named “Name of Network Profile” Root CA
  3. Click Download

While we’re here, we need to also download our Intermediate CA, so we can upload it to our Firewall later.

  1. Locate the Intermediate CA that is associated with the Network Profile you just created.
    • It should be named “Name of Network Profile” Intermediate CA
  2. Click Download

 

Configure SecureW2 for VPN

We need to run our Getting Started Wizard one more time, but this time to configure a Network Profile that will be used for enrolling our end users for a certificate that can be used for VPN, Web-Applications, and many other things.

Navigate to the Getting Started Wizard like you did in the previous section, but this time, configure your settings like below:


After the Wizard has finished, you will have a second Network Profile. We need to upload our SSL Inspection Root CA to our new Network Profile

  1. Click Edit on our new Network Profile
  2. Under the Certificates section, click Add/Remove Certificate
  3. Under Private Certificate, click Choose File and select the Root CA we downloaded in the previous section
  4. Click Upload
  5. Now locate the Certificate we just uploaded in the Specify Certificate section, and check Install
  6. Click Update
  7. Our new certificate now appears in our Certificates Section, click Edit on it
  8. Check the box Use Certificate for SSL Inspection and Install in Firefox Certificate Store
  9. Click Update
  10. Scroll to the bottom of our Network Profile edit screen and click Update
  11. Click Re-publish on our Network Profile we’ve just edited, and it will push our recent edits

Lastly, we need to Download our Root and Intermediate CA’s that have been generated with this Network Profile, so we can upload it to Palo Alto for VPN Authentication.

  1. Navigate to the PKI section and select Certificate Authorities
  2. Locate the Root CA that is associated with the Network Profile you just created.
    • It should be named “Name of Network Profile” Root CA
  3. Click Download
  4. Locate the Intermediate CA that is associated with the Network Profile you just created.
    • It should be named “Name of Network Profile” Intermediate CA
  5. Click Download

 

Distribute Certificates to End Users

One of the reasons that the SecureW2 solution has been adopted so widely for network authentication, is that it offers a platform that can easily enroll and configure both BYOD and Managed Devices. Below highlights the solutions we provide to enroll each set of devices.

BYOD Self-Service Enrollment and Configuration

The most common way we see this done is by getting the URL of the landing page that is generated for SSL Inspection and sending it to end users through email. The SecureW2 landing page only takes a few clicks for end users, and has instructions on there for the end users, so all MSP/Admin needs to do is send them the URL.

To get the URL:

  1. Navigate to Device Onboarding and then Network Profiles
  2. Click View on the Network Profile we just created using the Getting Started Wizard (From section Getting Started with Wi-Fi and VPN) and it will take you to the landing page
  3. Take this URL and distribute it to your users.
    • Most customers ask their users to do this at home or where they have existing network access.
    • You can also do this by creating an Open SSID and redirecting users to the landing page. You can learn more about this by reading some of our integration guides on our Wi-Fi Solutions Page.

 

Managed Devices Certificate Auto-Enrollment and Configuration

The best way to configure your Managed Devices for certificate-based network authentication, is a combination of:

  1. Using SecureW2’s SCEP/WSTEP Managed Device Gateway APIs so our devices can automatically enroll themselves for certificates
  2. Pushing network settings configurations offered natively in your MDM so our devices are configured to use the certificates for VPN and SSLI.

To learn more about this, visit our page on Managed Devices.

 

Configuring Palo Alto for SSL Decryption

Now that we’ve configured everything in the SecureW2 side of things, we need to configure our Palo Alto Firewall to use the SecureW2 certificates for SSL Inspection and VPN Authentication.

Import Intermediate CA for SSL Decryption on Palo Alto

  1. Navigate to Device -> Certificate Management -> Certificates.
  2. Click on Import to select the certificate and Private Key which would be used for SSL decryption.
  3. Click OK to import the CA.palo alto ssl decryption
  4. Click on the imported CA
  5. Check Forward Trust Certificate and Forward Untrust Certificatepalo alto ssl decryption
  6. Click Commit to commit the changes

 

Creating Policies for SSL Decryption in Palo Alto

  1. Navigate to Policies->Decryption
  2. Click Add to create a new SSL Decryption Policy
  3. In the General Tab provide the Name of the Policypalo alto ssl decryption
  4. Click the Source tab
    • Specify the source zone/address to which this policy is applied.
  5. Click the Destination tab
    • Specify the source zone/address to which this policy is applied.
  6. Click the Options tab
    • Select Action as Decrypt
    • Select Type as SSL Forward Proxy
      • Optional (Create Decryption Profile)palo alto ssl decryption
  7. Click OK to save the changes
  8. Click Commit to commit the changes.

 

Using Enrolled Certificates for VPN Authentication on Palo Alto

Now we need to configure our Firewall to use our SecureW2 certificates for client authentication for an IPSEC VPN.

Prerequisites

  • Tunnel and Physical Interfaces have been configured on the Palo Alto Firewall.
  • Server Certificate for the Palo Alto VPN server has been created and updated on the Firewall.

Import VPN Intermediate and Root CAs to Palo Alto

  1. Navigate to Device -> Certificate Management -> Certificates
  2. Click Import
  3. Upload both the Root and Intermediate CAs that we generated and downloaded in the Getting Started for Wi-Fi and VPN Section.palo alto ssl decryption
  4. Navigate to Devices -> Certificate Management -> Certificate Profile
    • Enter the Name of the Certificate Profile
    • Click Username Field dropdown to select the attribute from certificate to fetch the username
    • Under CA Certificates
      • Click Add and select both Root and Intermediate CA certificates imported
    • Click CRL for to setup Firewall to download CRL files.palo alto ssl decryption
  5. Click OK to save the changes
  6. Click Commit to commit the changes

 

Set Up GlobalProtect Gateway for Remote Clients

  1. Navigate to Network->GlobalProtect->Gateways
  2. Click Add to create a new Gateway
  3. Under General Tab Provide the Name and configure the Network Settingspalo alto ssl decryption  
  4. Click the Authentication Tab
    • Under SSL/TLS Service select the Firewall Certificate
    • Under Certificate Profile Select the Certificate Profile palo alto ssl decryption
  5. Click Agent Tab
    1. Check to enable Tunnel Mode
    2. Select the Tunnel Interface
    3. Check to Enable IPSec
  6. Click Ok to save the Gateway Configuration.
  7. Click Commit to commit the changes.

 

Configure GlobalProtect Portal for VPN

  1. Navigate to Network->GlobalProtect->Portals
  2. Click Add to create a new Portal
  3. Under General Tab
    • Provide a Name
    • Configure the Network Settingspalo alto ssl decryption
  4. Click the Authentication Tab
    • (Here we are using the same interface and authentication settings for clients to connect to Gateway as well as Portal)
  5. Under SSL/TLS Service select the Firewall Certificate 
  6. Under Certificate Profile Select the Certificate Profile palo alto ssl decryption
  7. Click Agent Tab
    • Click Add 
    • Provide a Name
    • Click User/UserGroup to map users/OS which can access this gateway
      • For this guide, we have used Any to allow access to everyone
    • Click the External Tab and add the GlobalProtect Gateway we previously created
    • Click OK
  8. Save the Portal Settings
  9. Click Commit to commit the changes

 

Configuring RADIUS Server in Palo Alto

To configure the RADIUS in the Palo Alto, perform the following steps:

  1. Log into Palo Alto.
  2. Under the Devices tab, navigate to Server Profiles > RADIUS.
  3. Click Add.
  4. Add the IP Address of the RADIUS Server, Shared Secret, and Port of the primary and secondary server.
  5. Click OK.

Secure Authentication with Azure MFA

Any security professional will agree that the more levels of authentication you require, the more secure your network will be. SecureW2 easily integrates with Azure to provide dynamic cloud authentication solutions that are protected by Palo Alto.

In the Azure MFA settings, you’re required to update the RADIUS Authentication settings to bind to the same ports as Palo Alto networks. The Management IP of the Palo Alto Networks firewall should be entered as the IP address that will authenticate to the Azure MFA server.

This solution is highly effective because it does not rely solely on certificates and is therefore compatible with more vendors. If a vendor can only support biometrics or credentials, they can still experience the security of MFA.

You can also configure conditional access to protect resources from being viewed by just anyone. If a resource should be secured, conditions can be set that must be met in order to view it. Lastly, there is no requirement for a RADIUS server. One of RADIUS strongest aspects are the logs created when users authenticate, and the Palo Alto-Azure solution can still generate accounting logs similar to RADIUS to track traffic on the network.

Ready to enhance your security? SecureW2 offers affordable options for organizations of all sizes. Check out our pricing page to learn more.