Friday, March 8, 2019

Palo Alto - Q1)default trusted certificate authorities? Q2)ssl decryption broker...

Hi Guys,

Long time lurker here... just wanted to ask a couple of questions.

1) Palo Alto's list of trusted certificate authorities on the firewalls. so a client has asked me how often they "update" but from my own googling if i read the articles correctly this is only updated manually when you upadate the OS. i would like this confirmed please. anyone actually know if they update automatically? or is it only whats contained within the OS updates?

2) Im going to configure the SSL decryption broker on the PA to hand off all the SSL decrypted data off to another system. but can this then be used to control what is allowed to pass through? how would it come back to the PA? the way id imagine this working (ive never configured this before) would be that it decrypts the SSL traffic on PA, hands it off to this other system, then somehow comes back to the PA (or the PA communicates with this system somehow) and decides if its allowed through or not? im just a bit lost. only got my PCNSE recently and think im in over my head to be honest. im the only PA guy in my firm and would really appreciate any help you could offer.

3) client has said theyre using something called Csico Eye??? which is apparently some kind of IPS system on the network. they would like the traffic passed from the firewall back to this system to do its IPS then back to the PA as the final gateway.... i dont actually get this one or why they would want to do this but wondering if its possible? they said the same with URL filtering... they dont want to use the PA URL filter but instead want to use this Cisco Eye (what ever that is) and cisco's umbrealla. anyone know if this would cause any issues with PA?

please feel free to call me an idiot or clueless cos that how i feel after being in front of this client for half an hour!! i have tried to read up on all this but starting to get lost in it all and not sure i fully understand it. I have a PCNSE which i obtained recently and have about 2 years of troubleshooting, and 1.5 years of implementation experience. any help would be greatly appreciated!!! thank you in advance. am i just a crap engineer!? or is this actually quite complicated?



No comments:

Post a Comment