topic Re: URL Filtering Override SSL Certificate in General Topics

URL Filtering Override SSL Certificate

networkadmin — Thu, 29 Apr 2010 17:19:34 GMT

I've been experimenting with the URL override feature. Works fine, however even with the PANs self-signed certs in the PC's trusted root authorities store, I can't seem to get away from getting a "mismatch" warning because when someone goes to www.overridesite.com the SSL cert is only valid for pan.ourdomain.com even if it trusts the CA.

Is this just how it is or is there anything I can do to make it a bit more seamless please?

Thanks in advance.

Re: URL Filtering Override SSL Certificate

nrice — Fri, 30 Apr 2010 00:08:49 GMT

This is expected behavior and there is no way around it. You can't load a wild card cert that would be accepted by other all other sites.

Re: URL Filtering Override SSL Certificate

networkadmin — Fri, 30 Apr 2010 16:14:11 GMT

Thanks for the reply, are there any plans to change the behaviour?

I ask as we educate our users not to click on things if they're not 100% sure what they are etc. and I can imagine this causing a fair bit of confusion.

Could it be put in as a feature request please?

Re: URL Filtering Override SSL Certificate

nftechservices — Tue, 08 Jun 2010 22:17:49 GMT

It seems like you are trying to put Fort Knox around a nickel. The only part worth protecting on that page is potentially the override password. A better solution would be to make SSL optional on the override page, or make it a 2 step process for a user to override.

1. Present an unencrypted block page with a button to override.

2. Present an encrypted password request page if the user wishes to override.

This would prevent the annoyance and confusion caused by a casual block and then you would only have to deal with the certificate mismatch when you truly wish to override the block.

Re: URL Filtering Override SSL Certificate

networkadmin — Wed, 09 Jun 2010 17:02:19 GMT

As far as I'm concerned the override page doesn't have to be SSL at all, that was the default and I didn't spot an option for it to not be SSL - if that's possible I'm interested to know how?

Re: URL Filtering Override SSL Certificate

networkadmin — Sat, 28 Aug 2010 10:48:52 GMT

So, can I use the override page without it using SSL? I don't see anything obvious in the GUI or the manual on how to do so.

Re: URL Filtering Override SSL Certificate

bpappas — Wed, 01 Sep 2010 22:06:19 GMT

There is not currently a way to use the URL Filtering override feature without using SSL.

Re: URL Filtering Override SSL Certificate

nftechservices — Wed, 01 Sep 2010 22:17:21 GMT

Like others said, there is not way to override the SSL used for the override page. I was making a suggestion that Palo Alto Networks make that SSL on the override page optional in a future revision of the PAN OS.

Re: URL Filtering Override SSL Certificate

bpappas — Wed, 01 Sep 2010 22:20:07 GMT

@nftech:

yes. you are correct. Since this feature does not exist it would require a feature request which you can request via your Sales Engineer.

Re: URL Filtering Override SSL Certificate

rahmant — Sat, 11 Sep 2010 09:59:22 GMT

Doesn't the URL Override redirect feature resolve this issue? If you redirect to an interface IP or a DN that maps to an interface IP on the firewall and ensure that you're presenting an internally valid certificate, then the users shouldn't get any certificate errors.

Just got this working in my test environment a couple of days ago mysefl (running 3.1.4). If I remember correctly, generate the cert 1st in the SSL VPN area of the certificates left hand link on the Device tab. Once a cert has been applied, then go to the Setup left hand link of the Device tab and there should be a URL Override area on that page. If you edit that area, you should be able to configure the specifics of the Override feature, including the Override type (redirect/transparent). Set it to redirect, select the newly created certificate that should be present and then enter the DN that maps to proper IP address of the firewall. Commit and you should be good.

Now when the user tries to access a URL that falls within an override set category, their browser should be redirected via HTTPS to the DN, which should be mapped to the firewall. If the cert is trusted, you should be set - no certificate warnings (assuming your cert was signed by a trusted authority).

Tariq

Re: URL Filtering Override SSL Certificate

networkadmin — Sat, 11 Sep 2010 10:40:13 GMT

Thank you so much! Our reseller didn't mention this option.

It doesn't work on the management IP only on the LAN NIC, but it does work and suggests all I need to do is go buy a rapidssl or other cheap cert whose root CA is trusted on all our PC's (I know I could push one out but for $10 it's not worth the hassle).

Perfect!

(the only slight negative is that it seems I can't use the same cert for both URL admin override and for the management interface cert as I obviously can't have forward DNS internally mapping the FQDN to both the management and internal LAN NIC).

Re: URL Filtering Override SSL Certificate

rahmant — Sat, 11 Sep 2010 10:51:12 GMT

You're welcome

Tariq