https://live.paloaltonetworks.com/t5/next-generation-firewall/web-file-blocking/m-p/1243878#M6519 <P>Hello Community,</P><P>We are trying to implement file upload/download blocking for W-Web in our environment using a Palo Alto firewall.</P><P>Current setup:</P><P>SSL Forward Proxy decryption is enabled.</P><P>A decryption certificate has been created on the firewall and installed in the Trusted Root Certification Authorities store on client machines.</P><P>Security policy and File Blocking profile are configured to block file transfers for watsapp Web.</P><P>Issue observed:<BR />Even after installing the firewall decryption certificate on the client machines, Wtsup Web continues to present the official Wtsapp certificate chain when verified from the browser. The firewall certificate is not being applied.</P><P><BR />Questions:</P><P>Does Watsup Web use certificate pinning, which prevents SSL Forward Proxy decryption?</P><P>Is SSL Inbound Inspection or any additional SSL/TLS profile required for Wtsup Web file blocking?</P><P>Is it possible to block file transfers for Wtsup Web without SSL decryption, using App-ID or Content-ID?</P><P>Are there any known Palo Alto limitations or recommended best practices for Wtsup Web file blocking?</P><P>Any guidance or real-world experience on this would be greatly appreciated.</P><P>Thank you in advance for your support.</P><P><BR /><BR /></P> Mon, 15 Dec 2025 06:09:53 GMT Deepa_D 2025-12-15T06:09:53Z https://live.paloaltonetworks.com/t5/next-generation-firewall/web-file-blocking/m-p/1243878#M6519 <P>Hello Community,</P><P>We are trying to implement file upload/download blocking for W-Web in our environment using a Palo Alto firewall.</P><P>Current setup:</P><P>SSL Forward Proxy decryption is enabled.</P><P>A decryption certificate has been created on the firewall and installed in the Trusted Root Certification Authorities store on client machines.</P><P>Security policy and File Blocking profile are configured to block file transfers for watsapp Web.</P><P>Issue observed:<BR />Even after installing the firewall decryption certificate on the client machines, Wtsup Web continues to present the official Wtsapp certificate chain when verified from the browser. The firewall certificate is not being applied.</P><P><BR />Questions:</P><P>Does Watsup Web use certificate pinning, which prevents SSL Forward Proxy decryption?</P><P>Is SSL Inbound Inspection or any additional SSL/TLS profile required for Wtsup Web file blocking?</P><P>Is it possible to block file transfers for Wtsup Web without SSL decryption, using App-ID or Content-ID?</P><P>Are there any known Palo Alto limitations or recommended best practices for Wtsup Web file blocking?</P><P>Any guidance or real-world experience on this would be greatly appreciated.</P><P>Thank you in advance for your support.</P><P><BR /><BR /></P> Mon, 15 Dec 2025 06:09:53 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/web-file-blocking/m-p/1243878#M6519 Deepa_D 2025-12-15T06:09:53Z https://live.paloaltonetworks.com/t5/next-generation-firewall/web-file-blocking/m-p/1243972#M6523 <P><SPAN>&nbsp;I have not used a decryption profile or anything similar. I just created a policy that allows Wtsapp-base, Wtsapp-chat, and Wtsapp-voice. Initially, I can see that Wtsapp upload and download are blocked, but if I click ‘try again’, I can upload the file. At first it is denied, but if I try again, the file transfer succeeds. Could&nbsp;someone please provide a solution if you are using this in your organization or have tried it in your lab and succeeded?&nbsp;</SPAN></P> Tue, 16 Dec 2025 08:13:26 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/web-file-blocking/m-p/1243972#M6523 Deepa_D 2025-12-16T08:13:26Z https://live.paloaltonetworks.com/t5/next-generation-firewall/web-file-blocking/m-p/1244067#M6529 <P>Applications that use proprietary encryption or certificate pinning cannot be decrypted.</P> <P>One example is WhatsApp.</P> <P>You either permit it through or block it.</P> <P>&nbsp;</P> <P>Another example is Dropbox.</P> <P>You can decrypt if Dropbox is being used through web browser but not application as it has pinned certificate.</P> Wed, 17 Dec 2025 14:01:23 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/web-file-blocking/m-p/1244067#M6529 Raido_Rattameister 2025-12-17T14:01:23Z