topic Re: Exclude a Application behind Clientless VPN from decryption in GlobalProtect Discussions

Exclude a Application behind Clientless VPN from decryption

Martin.Shemon — Fri, 01 Sep 2023 13:02:03 GMT

Hi all,

I am currently facing the problem of publishing an internal web application via GlobalProtect Portal and Clientless VPN.

The principle is already used by us and works very well so far.

However, this one particular application has a property that makes SSL decryption impossible. With "normal" SSL decryption, you can either set a no-decrypt policy or a general exclusion from decryption.

However, I cannot find such a possibility for Clientless VPN and the normal exclusions do not work either. Without such an exclusion, however, the internal application cannot be published.

I also debugged, why the ssl inspection is not working, found the reason (Handshake, renegotiation) and found out that it is not possible to get this to work, it depends on the application itself, which i cant change.

What am I missing or what other possibilities exist that I may not know about?

Many greetings
Martin

Re: Exclude a Application behind Clientless VPN from decryption

TomYoung — Fri, 01 Sep 2023 15:28:48 GMT

Hi @Martin.Shemon ,

The NGFW will decrypt clientless VPN because it is designed to do so. The client creates an SSL session to the NGFW, and it creates a new SSL session to the internal server. This happens even if you do not have decryption enabled. It is, essentially, a man-in-the-middle.

You have 2 solutions, in my opinion.

Fix the decryption issue. For example, if you put the IP address in the Hostname field of the General tab and your certificate does not have the IP address in it, you will get decryption errors. Many times the issue will come down to supported and non-supported technologies. Please see the links below.
Use the GlobalProtect client. That traffic will abide by the decryption policy and can be excluded.

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-clientless-vpn/supported-technologies

https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vpn/supported-technologies

Thanks,

Tom

Re: Exclude a Application behind Clientless VPN from decryption

Martin.Shemon — Fri, 01 Sep 2023 17:51:47 GMT

Hi Tom,

thanks for the Hints !
In this special case it is not possible to fix the decryption error, it depends on the application itself. After some deep debugging if found out that the Client Handshake breaks the SSL Decryption. I also found a PaloAlto article which describes that it is not resolvable.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POJ0CAO&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

This is why i asked for a decryption exclusion.

I understand that it is not possible to exclude this special single host, so i have to find other solutions.
I now try to publish this application via a Global Protect Connection with a split tunnel configuration only for this single app.

If you or somebody has annother idea how to prevent decryption, it would be great, cause this is the prefered way.

Many Thanks and have a great weekend.
Martin