Help with AWS/Palo Alto firewalls and SSL Decryption

Hello. One of our customers has an AWS solution with Palo Alto firewalls. Sitting in front of those is a load balancer and in the trust zone a web server. We have been asked to enable inbound ssl decryption on the Palo Alto's following a security issue earlier this year. We have created a web server cert and private key pair, imported to the palo's and created decryption profile and rules but the firewalls will not decrypt due to 'private key not matching public key'. We are wondering if this is due to the cert on the client (essentially the load balancer) being different. Traditionally the client would have the same cert as the server but in this case the client has an amazon cert. How do we get around this, what is the best way to set up, create a cert on the load balancer and use that on the client and web server? thanks

CarlosGP-AWS
a year ago
Hi there, Can you confirm if this is the flow of the packets: Clients->IGW->ALB->FW->Web-Server if thats the case, the ALB would be doing the TLS termination and sending the public cert to the client. From there, the ALB would create a new HTTP or HTTPS connection towards the Web-server. If its HTTPS, the ALB just accepts any certificate as it doesn't check for CA. So now you're trying to terminate this TLS connection on the Palo Alto Firewall? or you're trying to transparently inspect the incoming packets without terminating the connection? If you can elaborate on the part between the ALB->FW->Web-Server so I can try and help point the issue.

Topics

Security, Identity, & Compliance Networking & Content Delivery AWS Well-Architected Framework

Relevant content

DNS Query from ec2 instance not hitting Palo alto firewall
NiranjanR
asked 2 years ago
Transit Gateway connection from customer gateway using Palo Alto without BGP
Accepted Answer
AWS-User-5964687
asked 5 years ago
Deploying Palo Alto VM to Inspect Outbound Traffic from VPCs Associated with TGW in Different AWS Accounts
Accepted Answer
Ali Md
asked 9 months ago
EC2 instance for Palo Alto VM-series not showing
rePost-User-5386573
asked a year ago
How do I avoid a redirection loop when I place a load balancer in front of a Lightsail instance?
AWS OFFICIALUpdated 3 months ago
What is the web ACL association behavior for AWS Firewall Manager AWS WAF and AWS WAF classic policies?
AWS OFFICIALUpdated 2 years ago
How do I set up an AWS Network Firewall with a NAT gateway?
AWS OFFICIALUpdated a year ago
How can I build a dynamic routing based VPN using a Palo-Alto firewall and AWS VPN?
AWS OFFICIALUpdated a year ago
VMware on AWS - How to restore NSX DFW firewall rules to previous state
EXPERT
Jagadeesh_Devaraj
published 9 months ago
SAP High Availability on AWS: Do You Need Cross-Zone Load Balancing?
EXPERT
AWS-User-7827410
published 4 months ago