I've learned more from your videos on this topic than anything that I've used in the past. You will always be my go to for advancing in my career. Thank you!
Wish I had this 3 years ago. Maybe its from having seen it and figuring it out why and how this was done then stepping into a new company, but this explains it so easily. Love your quick and to the point explanations!
Great video! I need to get me a PA440. I've been managing PA820s for the last 4yrs at work for our sites, but I recently got a new job and no Palo Alto lol.
HI Keith, Thanks for this.I have got decryption up and running on a pilot basis on our network and the first thing we noticed was that it broke, RUclips,. The videos would freeze or not load the thumbnail etc. Could you doa video on troubleshooting t decryption errors please? Thanks.
Hey @Keith Barker, Thanks so much for these videos. I just installed one PA-440 and am at the Part 8 of this. I have never set up Certificate services on my 2019 AD server. Do you have a how to video on that so I can complete part 8 of the PA-440 configuration?
Thank you for the question @fourtsr. I don't have one I made, but here are several: ruclips.net/user/results?search_query=install+certificate+services+on+domain+controller Happy studies.
@@KeithBarker Thanks Keith. You commented in the beginning of part 8 you had a more in depth video over on CBT nuggets, can you provide the URL for this. I can't seem to find it.
Hey @Keith Barker, WOW! This series of videos is a God Send to me. Thank you so much for making the complex simple. That really is a gift and you have it in spades. Subscribed to you and also to CBT Nuggets, what a find. Thanks again!
Thank you for the question @kauffmann1983. For QUIC traffic this can be tricky since QUIC doesn’t rely on the traditional TCP-based SSL/TLS. You can configure the firewall to block QUIC, forcing traffic to fall back to TCP, where SSL/TLS decryption can then be applied.
Hi @Keith Barker, Great explanation... One question that arise in my Mind to implement is that "Can we use Wildcard Certs / Purchased public Certs for SSL Forward Proxy so that it will not require to install Certificate on each Client Machine. Regards Nadeem
Thank you for the question Muhammad Nadeem. The clients need to trust the issuing CA for the cert the FW is using with SSL proxy. That could be an internal CA, where the machines have been configured to trust, or a public CA, that the computers already trust.
@@KeithBarker I've tried it on my android phone, the issue here is that some apps only take their own certificate databas to try to see if it's a valid certificate. So just importing it to the android certificate store wouldn't work for a lot of apps. Buying a public signed just for that seem's a bit an overkill though
Hi Keith, Great job on the configuration you shown! Just wondering , why when I put the x forwarder for security policy, the connection is reset. I was wonder why this issue happen when using user-id is is okay
Thanks Kaith great video and explanation :). a Quick Question, have you integrate Palo alto with AWS Certificate manager (ACM). I tried but there are some limitarions , dont know if there is a workaround or something that i missed.
![Blox Fruits Dragon Rework Update [Full Stream]](http://i.ytimg.com/vi/EqDAp8udhm0/mqdefault.jpg)
![Palo Alto SSL Forward Proxy (Outbound SSL Decryption) [2024]](/img/1.gif)
The WAN & only ladies & gentlemen, the OG of IT! Thank you Keith for being so awesome.
Thank you @fabrice9848!
I'm new to Palo and this series was more than I could hope for. Excellent!
Happy to do it, thanks for the feedback @ulimi2002.
No way! Perfect timing, I got SSL decryption deployment for a customer! Thnx!!
I've learned more from your videos on this topic than anything that I've used in the past. You will always be my go to for advancing in my career. Thank you!
Wish I had this 3 years ago. Maybe its from having seen it and figuring it out why and how this was done then stepping into a new company, but this explains it so easily. Love your quick and to the point explanations!
Thank you @joshstickney8695!
Great playlist. Thank you!
I laughed at the comment about the 400 series being 'slow' to commit at about 2-3 minutes. PA-200 & PA-220 entered the chat/
God forbid you have to reboot a 220 for a software upgrade….
you are the best og of it!!!!!
Great video! I need to get me a PA440. I've been managing PA820s for the last 4yrs at work for our sites, but I recently got a new job and no Palo Alto lol.
HI Keith, Thanks for this.I have got decryption up and running on a pilot basis on our network and the first thing we noticed was that it broke, RUclips,. The videos would freeze or not load the thumbnail etc. Could you doa video on troubleshooting t decryption errors please? Thanks.
Amazing! Great video! Thank you for creating such educational and highly nformative content!
Happy to do it, thanks for the feedback @leanderjanlargo5690.
Hey @Keith Barker, Thanks so much for these videos. I just installed one PA-440 and am at the Part 8 of this. I have never set up Certificate services on my 2019 AD server. Do you have a how to video on that so I can complete part 8 of the PA-440 configuration?
Thank you for the question @fourtsr. I don't have one I made, but here are several:
ruclips.net/user/results?search_query=install+certificate+services+on+domain+controller
Happy studies.
@@KeithBarker Thanks Keith. You commented in the beginning of part 8 you had a more in depth video over on CBT nuggets, can you provide the URL for this. I can't seem to find it.
Hey @Keith Barker, WOW! This series of videos is a God Send to me. Thank you so much for making the complex simple. That really is a gift and you have it in spades. Subscribed to you and also to CBT Nuggets, what a find. Thanks again!
Bravo, Well done sir
Thank you @thouston7!
Thanks so much for these videos. i needed
Happy to do it, thanks for the feedback @RayAlejandroGaviriaAlegria.
but if you set the decryption rule with the port 443 instead in the service https, would the decryption work even for quic?
Thank you for the question @kauffmann1983.
For QUIC traffic this can be tricky since QUIC doesn’t rely on the traditional TCP-based SSL/TLS. You can configure the firewall to block QUIC, forcing traffic to fall back to TCP, where SSL/TLS decryption can then be applied.
Hi @Keith Barker, Great explanation...
One question that arise in my Mind to implement is that "Can we use Wildcard Certs / Purchased public Certs for SSL Forward Proxy so that it will not require to install Certificate on each Client Machine.
Regards
Nadeem
Thank you for the question Muhammad Nadeem.
The clients need to trust the issuing CA for the cert the FW is using with SSL proxy. That could be an internal CA, where the machines have been configured to trust, or a public CA, that the computers already trust.
@@KeithBarker I've tried it on my android phone, the issue here is that some apps only take their own certificate databas to try to see if it's a valid certificate. So just importing it to the android certificate store wouldn't work for a lot of apps. Buying a public signed just for that seem's a bit an overkill though
Hey Keith, I’m currently deploying mine but I dint have a CA server. How can I make the FW self sing it certs without the Server?
Thanks Keith,
Happy to do it, thanks for the feedback Rashid Siddiqui | CISSP, CCSP and Related Stories.
Thank you Thank You Keith
Happy to do it, thanks for the feedback @01NetworkSolutions.
something strange is happening to me, the signatures of the mails in a gmail suite do not load due to decrypt error, can anyone help me, thanks
thanks a lot
Happy to do it, thanks for the feedback @omertaskn5413.
Hi Keith,
Great job on the configuration you shown! Just wondering , why when I put the x forwarder for security policy, the connection is reset. I was wonder why this issue happen when using user-id is is okay
Thanks Kaith great video and explanation :). a Quick Question, have you integrate Palo alto with AWS Certificate manager (ACM). I tried but there are some limitarions , dont know if there is a workaround or something that i missed.