topic Re: block non decrypt traffic in Next-Generation Firewall Discussions

block non decrypt traffic

AlessandroSousa — Wed, 03 May 2023 19:09:44 GMT

Hello, I need to know how to block traffic that is not going through decrypt.

Re: block non decrypt traffic

OtakarKlier — Thu, 04 May 2023 21:49:03 GMT

Hello,

There is some traffic that will break if you try to decrypt it so not decrypting it is the correct path. However I would setup decryption policies and place your decryption policy at the bottom of the Decryption policies, that way you can create 'do not decrypt' policies above that. However by creating the decryption policy, all traffic that matches the policy will be decrypted.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC

Regards,

Re: block non decrypt traffic

AlessandroSousa — Mon, 08 May 2023 14:18:56 GMT

I had already done that. The problem is that the traffic I do NOT want to decrypt is actually an application (google-play), and in the decrypt module/filters (decrypt -> pre -rules) there is no option to insert application in the rule. This is causing an excessive increase of sessions in my decrypt which in turn is generating high processing in the firewall. In the image I attached, you can see that google-play is going through decrypt and consuming more than 5,000 sessions even though it is blocked in the main table (security rules)

Re: block non decrypt traffic

Adrian_Jensen — Mon, 08 May 2023 17:06:43 GMT

You often can not determine the application without decrypting the traffic, as the data that would determine the application is within a SSL session. Therefore application is not a valid filter for determining whether to decrypt or not.

According to my PA, the google-play application uses ports tcp/80, 443, 5228, and udp/5228. So option one would be to bypass decryption of traffic to port 5228, though this may not be ideal and may miss a large portion of SSL traffic on port 443. A second option would be to build a URL filter and try to bypass decryption based on that. A bit of Googling indicates that Google Play uses a URL in the format of https://play.google.com/store/xxx, however this may not always be the case as apps/content is frequently mixed across CDNs. So why not try bypassing decryption based on URL and see if that provides enough of a solution.

Create a new URL Category (Objects->Custom Objects->URL Category) for filtering items to be bypassed in decryption. Note that since you are not decrypting, you do not know the entire URL, just the FQDN in the SNI. Therefore you can only filter based on the FQDN portion of the URL: Be sure to terminate your entries correctly to prevent unwanted/unexpected expansion:

Name = Do-Not-Decrypt

Type = URL List

Sites =

play.google.com/

Then create a decryption bypass rule (Policies->Decryption):

Name = Do-Not-Decrypt-URL

Src Zone = Trust

Dst Zone = Untrust

URL Category = Do-Not-Decrypt

Action = No Decrypt