https://live.paloaltonetworks.com/t5/general-topics/issues-with-ssl-forward-proxy-in-lab-environment/m-p/444532#M100358 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/197353">@benball</a> ,</P><P>&nbsp;</P><P>This is very common with PAN-OS 8.1 and below.&nbsp; Once the traffic is decrypted, the NGFW recognizes the decrypted application as web-browsing.&nbsp; Web-browsing on tcp/443 does not match any of your rules and therefore is dropped by the interzone-default rule.</P><P>&nbsp;</P><P>Create a new rule to allow web-browsing on service-https, and your configuration will work.&nbsp; This means that you configured decryption correctly!&nbsp; [Edit yet again.]&nbsp; Now that you are decrypting traffic, your NGFW will recognize many more web apps like facebook, google, etc.&nbsp; So, you may as well allow any app outbound on 443 until you decide if you will build a full whitelist.</P><P>&nbsp;</P><P>PAN-OS 9.0 added secure ports to applications so that web-browsing with application-default will work with SSL decryption and you do not need to create a separate rule.&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-release-notes/pan-os-9-0-release-information/features-introduced-in-pan-os-9-0/app-id-features.html#id1787EF00LF4" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-release-notes/pan-os-9-0-release-information/features-introduced-in-pan-os-9-0/app-id-features.html#id1787EF00LF4</A></P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Tom</P><P>&nbsp;</P><P>PS You can also add the Decrypted column in the traffic logs to verify if the NGFW is decrypting traffic.</P><P>&nbsp;</P> Sun, 31 Oct 2021 03:58:31 GMT TomYoung 2021-10-31T03:58:31Z https://live.paloaltonetworks.com/t5/general-topics/issues-with-ssl-forward-proxy-in-lab-environment/m-p/444516#M100357 <P>Hi!</P><P>&nbsp;</P><P>I've recently been trying to setup decryption on my PA-220 in a lab environment and have not been able to get it set up correctly so far. It is licensed, up-to-date, and currently running 8.1</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="decryptionpolicy001.png" style="width: 624px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37367i95AA8AAFE37FE45C/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="decryptionpolicy001.png" alt="decryptionpolicy001.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="decryptionpolicy002.png" style="width: 624px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37366i11A051605FD08094/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="decryptionpolicy002.png" alt="decryptionpolicy002.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="decryptionpolicy003.png" style="width: 624px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37369iF835849D3D237DDB/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="decryptionpolicy003.png" alt="decryptionpolicy003.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="decryptionpolicy004.png" style="width: 624px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37368iA2A3004BFDADD175/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="decryptionpolicy004.png" alt="decryptionpolicy004.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="benball_0-1635639604869.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37370i4CF6505839E13F76/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="benball_0-1635639604869.png" alt="benball_0-1635639604869.png" /></span></P><P>&nbsp;</P><P>The steps that I've taken so far are to setup a decryption policy (the settings of which are included above), generate a self-signed certificate, set that certificate as the <EM>Forward Trust Certificate</EM>, commit and install the certificate onto one of the machine's.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="unknown.png" style="width: 624px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37371i6FE1ABC33EAB16F7/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="unknown.png" alt="unknown.png" /></span></P><P>&nbsp;</P><DIV class=""><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="benball_0-1635641186575.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37378i544513E0B7972263/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="benball_0-1635641186575.png" alt="benball_0-1635641186575.png" /></span><P>&nbsp;</P></DIV><P>However, after each attempt, I'm getting the above traffic; I seemingly get an&nbsp;<EM>allow&nbsp;</EM>followed by a <EM>policy-deny</EM> against the interzone-default.</P><P>&nbsp;</P><P>Does anyone have any ideas what I may be doing incorrectly? Any help is greatly appreciated.</P><P>&nbsp;</P><P>Thanks!</P><P>&nbsp;</P><P>&nbsp;</P><P>Additionally, I'm including my general setup below. If any additional information is needed, feel free to ask.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="benball_1-1635639989884.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37372i6B38B351A30B9F04/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="benball_1-1635639989884.png" alt="benball_1-1635639989884.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="benball_2-1635640059943.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37373i7C7777A184861034/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="benball_2-1635640059943.png" alt="benball_2-1635640059943.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="benball_3-1635640087342.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37374iEF67B8A1544C5486/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="benball_3-1635640087342.png" alt="benball_3-1635640087342.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="benball_4-1635640149129.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37375i01486A29E5D4A140/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="benball_4-1635640149129.png" alt="benball_4-1635640149129.png" /></span></P><P>&nbsp;</P> Sun, 31 Oct 2021 00:47:09 GMT https://live.paloaltonetworks.com/t5/general-topics/issues-with-ssl-forward-proxy-in-lab-environment/m-p/444516#M100357 benball 2021-10-31T00:47:09Z https://live.paloaltonetworks.com/t5/general-topics/issues-with-ssl-forward-proxy-in-lab-environment/m-p/444532#M100358 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/197353">@benball</a> ,</P><P>&nbsp;</P><P>This is very common with PAN-OS 8.1 and below.&nbsp; Once the traffic is decrypted, the NGFW recognizes the decrypted application as web-browsing.&nbsp; Web-browsing on tcp/443 does not match any of your rules and therefore is dropped by the interzone-default rule.</P><P>&nbsp;</P><P>Create a new rule to allow web-browsing on service-https, and your configuration will work.&nbsp; This means that you configured decryption correctly!&nbsp; [Edit yet again.]&nbsp; Now that you are decrypting traffic, your NGFW will recognize many more web apps like facebook, google, etc.&nbsp; So, you may as well allow any app outbound on 443 until you decide if you will build a full whitelist.</P><P>&nbsp;</P><P>PAN-OS 9.0 added secure ports to applications so that web-browsing with application-default will work with SSL decryption and you do not need to create a separate rule.&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-release-notes/pan-os-9-0-release-information/features-introduced-in-pan-os-9-0/app-id-features.html#id1787EF00LF4" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-release-notes/pan-os-9-0-release-information/features-introduced-in-pan-os-9-0/app-id-features.html#id1787EF00LF4</A></P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Tom</P><P>&nbsp;</P><P>PS You can also add the Decrypted column in the traffic logs to verify if the NGFW is decrypting traffic.</P><P>&nbsp;</P> Sun, 31 Oct 2021 03:58:31 GMT https://live.paloaltonetworks.com/t5/general-topics/issues-with-ssl-forward-proxy-in-lab-environment/m-p/444532#M100358 TomYoung 2021-10-31T03:58:31Z https://live.paloaltonetworks.com/t5/general-topics/issues-with-ssl-forward-proxy-in-lab-environment/m-p/444564#M100365 <P>Thank you for the help! That was the problem. I updated to PAN OS 9.0 and everything worked as expected.</P> Sun, 31 Oct 2021 15:11:07 GMT https://live.paloaltonetworks.com/t5/general-topics/issues-with-ssl-forward-proxy-in-lab-environment/m-p/444564#M100365 benball 2021-10-31T15:11:07Z