topic Re: Decryption exception issue - no SNI - SCN: chat.signal.org in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/decryption-exception-issue-no-sni-scn-chat-signal-org/m-p/508214#M200 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/212680">@JarerkZajac</a> ,</P> <P>You can create Decryption rule, matching by destination address and using FQDN object with action set to "no decrypt"</P> Thu, 07 Jul 2022 12:41:39 GMT aleksandar.astardzhiev 2022-07-07T12:41:39Z Decryption exception issue - no SNI - SCN: chat.signal.org https://live.paloaltonetworks.com/t5/next-generation-firewall/decryption-exception-issue-no-sni-scn-chat-signal-org/m-p/505780#M179 <P>Hi,</P><P>how to add following decryption error (ssl-forward-proxy) to exceptions?</P><P>&nbsp;</P><P>- logs-&gt;decryption: dest address: ac88393aca5853df7.awsglobalaccelerator.com (shodan solves this ip /13.248.212.111/ also to service.signal.org; SNI - no value; SCN: chat.signal.org; error: General TLS protocol error</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JarerkZajac_0-1655994017023.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/41933i230EFECA928AFD86/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="JarerkZajac_0-1655994017023.png" alt="JarerkZajac_0-1655994017023.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JarerkZajac_3-1655994196320.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/41936i6EC6DAEF71F9932C/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="JarerkZajac_3-1655994196320.png" alt="JarerkZajac_3-1655994196320.png" /></span></P><P>&nbsp;</P><P>- logs-&gt;traffic: destination like above; decrypted: no; app: ssl; session end reason: decrypt-cert-validation; action: allow; type: end</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JarerkZajac_1-1655994083091.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/41934i0D6E7DDA2A01F714/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="JarerkZajac_1-1655994083091.png" alt="JarerkZajac_1-1655994083091.png" /></span></P><P>&nbsp;</P><P>What I have done:</P><P>- device-&gt;cert management-&gt;SSL decrypt exclusion: chat.signal.org and *.signal.org -&gt; exclude from decryption</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JarerkZajac_2-1655994143220.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/41935i0027359EC78E08D9/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="JarerkZajac_2-1655994143220.png" alt="JarerkZajac_2-1655994143220.png" /></span></P><P>&nbsp;</P><P>Other (almost all) exceptions work fine, but only this cert has no value for SNI (Server Name Indication).</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JarerkZajac_7-1655994370894.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/41940iF3C8BFF298942B68/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="JarerkZajac_7-1655994370894.png" alt="JarerkZajac_7-1655994370894.png" /></span></P><P>&nbsp;</P> Thu, 23 Jun 2022 14:26:35 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/decryption-exception-issue-no-sni-scn-chat-signal-org/m-p/505780#M179 JarerkZajac 2022-06-23T14:26:35Z Re: Decryption exception issue - no SNI - SCN: chat.signal.org https://live.paloaltonetworks.com/t5/next-generation-firewall/decryption-exception-issue-no-sni-scn-chat-signal-org/m-p/508214#M200 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/212680">@JarerkZajac</a> ,</P> <P>You can create Decryption rule, matching by destination address and using FQDN object with action set to "no decrypt"</P> Thu, 07 Jul 2022 12:41:39 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/decryption-exception-issue-no-sni-scn-chat-signal-org/m-p/508214#M200 aleksandar.astardzhiev 2022-07-07T12:41:39Z Re: Decryption exception issue - no SNI - SCN: chat.signal.org https://live.paloaltonetworks.com/t5/next-generation-firewall/decryption-exception-issue-no-sni-scn-chat-signal-org/m-p/527691#M781 <P>Hi Astardzhiev,</P> <P>thank you for answer and apologise for late reply. I solved this problem by adding FQDN to URL custom category and using it in decryption rule as no decrypt url category.</P> <P>Chat.signal works fine, but lately another: signal messenger started the same -&gt; no SNI, no SCN (subject common name), at the same IP/FQDN address. So I added new decrypt rule and added this address.</P> <P>&nbsp;</P> <P>Thank you again for reply and solution.</P> <P>&nbsp;</P> <P>Best</P> <P>&nbsp;</P> <P>Jarek</P> <P>&nbsp;</P> Thu, 19 Jan 2023 10:16:36 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/decryption-exception-issue-no-sni-scn-chat-signal-org/m-p/527691#M781 JarerkZajac 2023-01-19T10:16:36Z