topic Re: SSL DERYPTION : How to automate URL/domaine decryption Exclusion properly? in Advanced Threat Prevention Discussions

SSL DERYPTION : How to automate URL/domaine decryption Exclusion properly?

ingdrame — Thu, 12 Apr 2018 13:24:38 GMT

Use case : Ours users go through Palo alto for internet access. Decryption feaures has been enabled.
When users try to access to internet may failed because the decryption-error.
We need a solution to automate URL SSL decryption exclusion and log urls excluded for review. Perfectly in a dynamics external list or in a custom url category. Theses dynamics objects will be in a no-decript rule.

How can i achieve it ?

Several mai cause errors : Server-error, client-error mainly aout handshake negotiation.
Existing solution :
- Use a feature in the decyption policies to bypass decryptio for decryption errors. However the decryption exclusion happen if only the server answer with a handshake errors, in the others hand we dont have a great visibility on these url exclusion for decryption.
- Use a log forwarding feaure to automate IP decryption and fill the IPs in a dynamics objects. This is not correct because we want to exclude URL and not IP of the server or the hosts.

Re: SSL DERYPTION : How to automate URL/domaine decryption Exclusion properly?

mivaldi — Thu, 12 Apr 2018 16:02:16 GMT

This is a great suggestion, please contact your Palo Alto Networks SE to have a Feature Request filed.

Re: SSL DERYPTION : How to automate URL/domaine decryption Exclusion properly?

aayoung — Sat, 25 Aug 2018 11:54:32 GMT

So, first of all, I may not be understanding exactly what you're saying is going on, but basically, it sounds like you're getting an error when attempting to access content from https/SSL sites. If that is what is occurring, the cause is because that once you enable decryption, your end devices first attempt to set up an SSL connection with your PA, then your PA sets up an SSL connection with the intended server, or true destination on the internet, allowing for full visibility of the traffic in the path or stream of data. However if your end devices don't have the certificate (verifies the owner of the public key, is who they say they are) created on your firewall, they will not be able to set up the desired SSL connection, and will label any connection as "untrusted" and may even cause sites to be un-reachable altogether. My first question would be, have you used some type of AD push or manual method (depending on the size of your environment) to install your PA SSL Certificate into the trusted certificate stores on your end devices. Also, let me add that for any idevices (iphone, Ipad etc.....) you'll have to create an exception manually, because of the way they've set up their Trusted Certificate Store.