ML
    • Register
    • Login
    • Search
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups

    Adding certs to firewalls

    IT Discussion
    6
    33
    6624
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bbigford
      bbigford last edited by bbigford

      So I stopped supporting a SMB that had a variety of SonicWalls (TZ series), and have only been working with various UTMs in the last few years (ASAs, Fortigate, etc).

      I just recently had to change our wildcard cert over from GoDaddy to Comodo because of expiration and cost (GD is getting pretty spendy comparatively, but that's neither here nor there). That made me start thinking about my replacement I recommended to the SMB, I told him his cert would be expiring around this time, but do those SMB firewalls even take certs? If they don't, do they just pass traffic right on through....? I couldn't remember as I hadn't setup a firewall like that in quite some time for SMB.

      1 Reply Last reply Reply Quote 0
      • JaredBusch
        JaredBusch last edited by

        The certificates have nothing to do with the firewall.

        That is not how SSL certificates are used.

        The SSL certificate goes on the endpoint being contacted. No where else.

        bbigford 1 Reply Last reply Reply Quote 0
        • JaredBusch
          JaredBusch last edited by

          Certificates also have nothing to do with routers and all the other hardware you mentioned.

          bbigford 1 Reply Last reply Reply Quote 0
          • Dashrender
            Dashrender last edited by

            Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.

            wirestyle22 JaredBusch 2 Replies Last reply Reply Quote 0
            • wirestyle22
              wirestyle22 @Dashrender last edited by wirestyle22

              @Dashrender said in Adding certs to firewalls:

              Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.

              Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.

              Dashrender bbigford 2 Replies Last reply Reply Quote 0
              • Dashrender
                Dashrender @wirestyle22 last edited by

                @wirestyle22 said in Adding certs to firewalls:

                @Dashrender said in Adding certs to firewalls:

                Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.

                Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.

                and ERX is not a UTM, it's a router.

                wirestyle22 1 Reply Last reply Reply Quote 0
                • bbigford
                  bbigford @JaredBusch last edited by

                  @JaredBusch said in Adding certs to firewalls:

                  The certificates have nothing to do with the firewall.

                  That is not how SSL certificates are used.

                  The SSL certificate goes on the endpoint being contacted. No where else.

                  With all the UTMs I've managed, the trusted third party cert has to be installed on the firewall... Are you saying no certs would be on the firewall, but only on the internal CA (in any case, the DC)? I guess I don't understand what you mean by the certs have nothing to do with the firewall.

                  1 Reply Last reply Reply Quote 0
                  • wirestyle22
                    wirestyle22 @Dashrender last edited by

                    @Dashrender said in Adding certs to firewalls:

                    @wirestyle22 said in Adding certs to firewalls:

                    @Dashrender said in Adding certs to firewalls:

                    Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.

                    Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.

                    and ERX is not a UTM, it's a router.

                    Right but UTM's are typically not great. I have a few Sonicwalls here.

                    bbigford 1 Reply Last reply Reply Quote 0
                    • bbigford
                      bbigford @JaredBusch last edited by

                      @JaredBusch said in Adding certs to firewalls:

                      Certificates also have nothing to do with routers and all the other hardware you mentioned.

                      I'm not talking about putting a cert on a router... Not entirely sure where you got that from my OC. Only talking about the firewall side of things.

                      1 Reply Last reply Reply Quote 0
                      • bbigford
                        bbigford @wirestyle22 last edited by

                        @wirestyle22 said in Adding certs to firewalls:

                        @Dashrender said in Adding certs to firewalls:

                        Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.

                        Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.

                        I didn't recommend them initially. I just replaced them with identical models when they broke and configured accordingly. They worked okay, well enough for what they needed, so I didn't opt to move them in a different direction like Watchguard/etc.

                        1 Reply Last reply Reply Quote 1
                        • bbigford
                          bbigford @wirestyle22 last edited by

                          @wirestyle22 said in Adding certs to firewalls:

                          @Dashrender said in Adding certs to firewalls:

                          @wirestyle22 said in Adding certs to firewalls:

                          @Dashrender said in Adding certs to firewalls:

                          Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.

                          Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.

                          and ERX is not a UTM, it's a router.

                          Right but UTM's are typically not great. I have a few Sonicwalls here.

                          So did you have to install certs on those firewalls, or no?

                          wirestyle22 1 Reply Last reply Reply Quote 0
                          • wirestyle22
                            wirestyle22 @bbigford last edited by wirestyle22

                            @BBigford said in Adding certs to firewalls:

                            @wirestyle22 said in Adding certs to firewalls:

                            @Dashrender said in Adding certs to firewalls:

                            @wirestyle22 said in Adding certs to firewalls:

                            @Dashrender said in Adding certs to firewalls:

                            Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.

                            Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.

                            and ERX is not a UTM, it's a router.

                            Right but UTM's are typically not great. I have a few Sonicwalls here.

                            So did you have to install certs on those firewalls, or no?

                            No. I don't use that functionality though

                            bbigford 1 Reply Last reply Reply Quote 0
                            • JaredBusch
                              JaredBusch @Dashrender last edited by

                              @Dashrender said in Adding certs to firewalls:

                              Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.

                              The that is nothing to do with a firewall and everything to do with a MITM webserver intercepting the traffic. Perfectly valid reasons to do so if desired. But it has nothing to do with a firewall.

                              bbigford 2 Replies Last reply Reply Quote 0
                              • bbigford
                                bbigford @JaredBusch last edited by

                                @JaredBusch said in Adding certs to firewalls:

                                @Dashrender said in Adding certs to firewalls:

                                Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.

                                The that is nothing to do with a firewall and everything to do with a MITM webserver intercepting the traffic. Perfectly valid reasons to do so if desired. But it has nothing to do with a firewall.

                                http://cookbook.fortinet.com/preventing-certificate-warnings/

                                JaredBusch 1 Reply Last reply Reply Quote 0
                                • coliver
                                  coliver last edited by

                                  Are you talking about certificate warnings when accessing the router? Or are you talking about certificate warnings when the firewall is a man-in-the-middle?

                                  bbigford JaredBusch 2 Replies Last reply Reply Quote 1
                                  • bbigford
                                    bbigford @wirestyle22 last edited by

                                    @wirestyle22 said in Adding certs to firewalls:

                                    @BBigford said in Adding certs to firewalls:

                                    @wirestyle22 said in Adding certs to firewalls:

                                    @Dashrender said in Adding certs to firewalls:

                                    @wirestyle22 said in Adding certs to firewalls:

                                    @Dashrender said in Adding certs to firewalls:

                                    Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.

                                    Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.

                                    and ERX is not a UTM, it's a router.

                                    Right but UTM's are typically not great. I have a few Sonicwalls here.

                                    So did you have to install certs on those firewalls, or no?

                                    No. I don't use that functionality though

                                    I wonder if it is just for deep inspection (which I don't think the SWs have, unless something has changed recently). Cause the traffic is basically intercepted by the firewall, decrypted (if encrypted), and then encrypted/resigned. Since it's been modified, the client wouldn't trust that the content is valid, except that it has a trusted cert from the firewall. I donno.

                                    coliver wirestyle22 2 Replies Last reply Reply Quote 0
                                    • bbigford
                                      bbigford @coliver last edited by

                                      @coliver said in Adding certs to firewalls:

                                      Are you talking about certificate warnings when accessing the router? Or are you talking about certificate warnings when the firewall is a man-in-the-middle?

                                      Guessing that is for MITM, since deep inspection would decrypt/re-encrypt the traffic... I could be wrong though.

                                      coliver 1 Reply Last reply Reply Quote 0
                                      • coliver
                                        coliver @bbigford last edited by

                                        @BBigford said in Adding certs to firewalls:

                                        @wirestyle22 said in Adding certs to firewalls:

                                        @BBigford said in Adding certs to firewalls:

                                        @wirestyle22 said in Adding certs to firewalls:

                                        @Dashrender said in Adding certs to firewalls:

                                        @wirestyle22 said in Adding certs to firewalls:

                                        @Dashrender said in Adding certs to firewalls:

                                        Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.

                                        Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.

                                        and ERX is not a UTM, it's a router.

                                        Right but UTM's are typically not great. I have a few Sonicwalls here.

                                        So did you have to install certs on those firewalls, or no?

                                        No. I don't use that functionality though

                                        I wonder if it is just for deep inspection (which I don't think the SWs have, unless something has changed recently). Cause the traffic is basically intercepted by the firewall, decrypted (if encrypted), and then encrypted/resigned. Since it's been modified, the client wouldn't trust that the content is valid, except that it has a trusted cert from the firewall. I donno.

                                        Ah you're talking about SSL filtering. You would need a valid certificate for this, unless you have one that is self-signed that you send out to local machines.

                                        1 Reply Last reply Reply Quote 0
                                        • wirestyle22
                                          wirestyle22 @bbigford last edited by

                                          @BBigford said in Adding certs to firewalls:

                                          @wirestyle22 said in Adding certs to firewalls:

                                          @BBigford said in Adding certs to firewalls:

                                          @wirestyle22 said in Adding certs to firewalls:

                                          @Dashrender said in Adding certs to firewalls:

                                          @wirestyle22 said in Adding certs to firewalls:

                                          @Dashrender said in Adding certs to firewalls:

                                          Certs absolutely can have something to do with UTM firewalls that are doing scanning at the network layer. If you're hosting your own website, then you could install your cert on the firewall, it would open the packets, scan them, then seal them back up and send them to your server.

                                          Traffic Inspection? What part of the Sonicwall made it your recommendation @BBigford out of curiousity? I bought an ERX and the only thing it doesn't do that I needed was content filtering. I just set up a Squid Proxy at that site.

                                          and ERX is not a UTM, it's a router.

                                          Right but UTM's are typically not great. I have a few Sonicwalls here.

                                          So did you have to install certs on those firewalls, or no?

                                          No. I don't use that functionality though

                                          I wonder if it is just for deep inspection (which I don't think the SWs have, unless something has changed recently). Cause the traffic is basically intercepted by the firewall, decrypted (if encrypted), and then encrypted/resigned. Since it's been modified, the client wouldn't trust that the content is valid, except that it has a trusted cert from the firewall. I donno.

                                          I'm honestly not sure. Sonicwalls in general are monstrously overpriced for what they offer though. We pay $1000 a year just for content filtering which I could do for free with Squid. I just don't see a benefit to using it. There are so many other better AND more cost effective options out there.

                                          1 Reply Last reply Reply Quote 0
                                          • coliver
                                            coliver @bbigford last edited by

                                            @BBigford said in Adding certs to firewalls:

                                            @coliver said in Adding certs to firewalls:

                                            Are you talking about certificate warnings when accessing the router? Or are you talking about certificate warnings when the firewall is a man-in-the-middle?

                                            Guessing that is for MITM, since deep inspection would decrypt/re-encrypt the traffic... I could be wrong though.

                                            That's exactly what MITM does for SSL, it decrypts outgoing/incoming traffic analyzes the data and then re-signs it on the way to either party.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post