topic SSL Decrytpion not working consistently on MAC's in Next-Generation Firewall Discussions

SSL Decrytpion not working consistently on MAC's

ljovellanos — Tue, 22 Nov 2022 16:33:49 GMT

We just installed SSL decryption ( not self signed) across our PANs. It is working fine with Windows workstations at office and at home. However, with MAC machines it is working inconsistently when at home and connected to global protect. Some sites it's picking up the SSL decryption cert while for others it wasn't. I have already tried to upgrade and downgrade the GP but still no luck.

Any recommendation that I should try?

Re: SSL Decrytpion not working consistently on MAC's

aleksandar.astardzhiev — Mon, 28 Nov 2022 10:56:55 GMT

Hi @ljovellanos ,

Can you describe the problem with bit more information?

What is the user experience? Does he receive SSL error messages? Or the page is not decrypted?

Can you provide some screenshots with examples?

What version of PanOS are you using?

Does your GlobalProtect gateway profile for Mac users apply Full tunnel or Split tunnel? Do you have any inclusion/exceptions based on DNS, application or routing?

Re: SSL Decrytpion not working consistently on MAC's

ljovellanos — Mon, 28 Nov 2022 18:41:50 GMT

Thanks for the response @aleksandar.astardzhiev

I noticed that this only happens with Mac's when they are connected to Global Protect. No issues encountered with Windows machines when using GP.

What is the user experience? Does he receive SSL error messages? Or the page is not decrypted?

--> I don't see or receive any SSL error message when visiting sites. Most of the sites the I visited were not showing the SSL decryption certificate that I've created. However, there was one site (virustotal) that is using the certificate that I've created. Please see the attached images.

--> it only happens when the machine is connected to the GLobal protect VPN, but when the machine is at the office and connected to the network via LAN or wireless, SSL decryption is working fine, it is using the SSL decryption certificate.

--> I have already tried downgrading or upgrading the GP version on that Mac but got the same problem.

--> I have tried different browser as well, but no luck.

What version of PanOS are you using?

--> Im currently testing it on PAN version 9.1.13-h1, but I have also tried on 10.1.5-h2 but got the same behaviour.

Global protect version

--> GlobalProtect App Version 6.1.0-58

--> We are using full tunneling when connected to GP.

Do you have any inclusion/exceptions based on DNS, application or routing?

--> none.. it is working fine with Windows machines when connected to GP

Re: SSL Decrytpion not working consistently on MAC's

aleksandar.astardzhiev — Mon, 28 Nov 2022 22:01:28 GMT

Hi @ljovellanos ,

If your GP VPN is configured with Full-tunnel mode and there is not domain or application exclusion I would look for issues with GP agent.

I noticed that you are using Chrome, so I would take a wild guess:

- Your GP users are allowed to internet with different rules (different from internal users)

- One of those rules allow GP user to use QUIC. QUIC is proprietary protocol and cannot be decrypted.

- When users are inside local network they are using different rules, which probably block QUIC and force Chrome to fallback to standard HTTPS, which is being decrypted.

You should be able to easly confirm or deny my assumption by:

- Check your traffic logs when Mac is connected to GP and search for (addr.src in <gp-ip-macos>) and (app eq quic). Does your FW block or allow quic?

- Check your URL logs when Mac is connected to GP. Even without decryption if your Mac is using HTTPS, firewall should be able to inspect the SSL negotiation and create URL log when you try to open facebook or virustotal (or any other site)

I believe I get your point - you believe that GP is not sending all traffic over the tunnel and that is why it is not being decrypted. Although you could never say there is a wild bug that could cause this, it is easier to confirm some other theories before digging for bugs:

- Check host routing table while connected to GP, confirm if default is pointing to VPN tunnel.

- Confirm in the config that there is no exclusion for GP (GP gateway -> Agent -> Setting -> Split tunnel -> Domain and Apps)

- Try to access a test page that you expect to be decrypted while connected to GP. Check your URL logs, do you see log for that URL? With nslookup resolve the FQDN to IP and try searching this IP in your firewall logs. Do you see any connections on the FW? What application has firewall identified?