topic Re: Inbound SSL Decryption and monitoring in General Topics

Inbound SSL Decryption and monitoring

whitewolfsecurity — Fri, 19 Oct 2012 13:58:50 GMT

Hello,

I'm trying to setup inbound SSL decryption. It is a pretty basic setup. Two layer 3 interfaces on a PA-500. One interface is in an 'Outside' zone, the other is in a 'DMZ' zone. In the DMZ zone is a web server with a signed SSL certificate. The PA is NATing the server in the DMZ to the appropriate address space Outside.

I have imported the web server's SSL certificate and private key (looks ok...the PA decrypted the key and displays the correct expiration date on the Device->Certificates page).

I have an appropriate Decryption policy matching the correct source and destination zones.

Typically: when looking at the log details (or from the CLI: 'show session all filter ssl-decrypt yes') there is nothing being decrypted

However: yesterday, when trouble shooting this with tech support, the log detail page had the 'Decrypted' box checked and the CLI command was showing one encrypted session.

But - in either case, when running very loud and obvious scans, no alert traffic is ever triggered. I can fill the web log up with directory traversal attempts, /etc/passwd, etc. and the attacks never show up in the Threat Log. When the same attacks are launched against the same server on port 80, the Threat log lights up appropriately.

I'm using SSL 3.0 - am I trying to do the impossible? I'm trying to decrypt inbound HTTPS traffic, scan it for attacks and either pass or block it according to policy. So far no luck.

Any help would be appreciated and thank you in advance.

Cheers,

Tim

Re: Inbound SSL Decryption and monitoring

sbrenner — Fri, 19 Oct 2012 14:31:25 GMT

For the CLI issue, have support look at bug #38936.

-Scott

Re: Inbound SSL Decryption and monitoring

jtc242 — Fri, 18 Jan 2013 02:34:52 GMT

Did you get anywhere on this. I am having similar issues.

Re: Inbound SSL Decryption and monitoring

kfindlen — Fri, 18 Jan 2013 04:49:35 GMT

Hi Tim

Could you check to see if the certificate has been placed in the exclude cache? Run the following CLI command:

show system setting ssl-decrypt exclude-cache

If the certificate is there it is likely because the SSL version or cipher suite being used is not supported for decryption. You can try to remove the certificate from the cache with the CLI command:

debug dataplane reset ssl-decrypt exclude-cache

If you test again and the certificate is placed back in the exclude cache then support will likely have to investigate the reason for the decryption failing. In that case you will want to open a case and we can investigate further.

Thanks,

-- Kevin

Re: Inbound SSL Decryption and monitoring

ericgearhart — Fri, 22 Feb 2013 17:49:35 GMT

I am finding that for inbound SSL decryption, it seems that sessions aren't being decrypted if the App-ID 'ssl' is matching. If the App-ID 'web-browsing' happens to match, the session is decrypted.

I dunno if that helps you or not, but it's a pattern I just noticed on my inbound SSL decryption setup that I have.

Re: Inbound SSL Decryption and monitoring

sjamaluddin — Sat, 23 Feb 2013 01:07:37 GMT

You are probably seeing those ssl decrypted sessions that NOW show up as web browsing. If you were to do a show session id <session #>, you'd probably see that the port used was 443 and the application was web browsing, implying that the ssl session was decrypted to expose the application that is web browsing