https://live.paloaltonetworks.com/t5/general-topics/decryption/m-p/27149#M19815 <HTML><HEAD></HEAD><BODY><P>Didnt some appid's look in the CN part of the certs being used (or was it the url-filtering that did this?) so the PA could somewhat inspect ssl traffic even if there is no ssl termination (decryption) setup?</P></BODY></HTML> Mon, 01 Oct 2012 19:45:20 GMT mikand 2012-10-01T19:45:20Z https://live.paloaltonetworks.com/t5/general-topics/decryption/m-p/27143#M19809 <HTML><HEAD></HEAD><BODY><P>Does the PAN still inspect secured traffic for all threats if it's not decrypting it?</P></BODY></HTML> Thu, 07 Jun 2012 19:49:53 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption/m-p/27143#M19809 jorge 2012-06-07T19:49:53Z https://live.paloaltonetworks.com/t5/general-topics/decryption/m-p/27144#M19810 <HTML><HEAD></HEAD><BODY><P>You mean if a particular threat item isnt evaluated because the traffic happens to be ssl or ssh or similar?</P><P></P><P>I guess this would be true in order to lower number of false positivies.</P><P></P><P>On the other hand there are many threats where it doesnt matter if the payload is encrypted or not.</P></BODY></HTML> Thu, 07 Jun 2012 20:35:22 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption/m-p/27144#M19810 mikand 2012-06-07T20:35:22Z https://live.paloaltonetworks.com/t5/general-topics/decryption/m-p/27145#M19811 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P> If you can't decrypt, you can't do anvivirus and such , traffic will be seen as SSL application, so there not much to do ....</P></BODY></HTML> Tue, 12 Jun 2012 13:03:02 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption/m-p/27145#M19811 essnet 2012-06-12T13:03:02Z https://live.paloaltonetworks.com/t5/general-topics/decryption/m-p/27146#M19812 <HTML><HEAD></HEAD><BODY><P>However the IPS will still function but of course not be able to inspect the content of the payload but be able to inspect the payload itself (for example if you have an IPS rule that says generate alert if SSLv1 handshake is seen or such).</P></BODY></HTML> Wed, 13 Jun 2012 06:29:17 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption/m-p/27146#M19812 mikand 2012-06-13T06:29:17Z https://live.paloaltonetworks.com/t5/general-topics/decryption/m-p/27147#M19813 <HTML><HEAD></HEAD><BODY><P>Hi guys.</P><P></P><P>thank you guys for the information. I'm now working on the ssl decryption.</P><P></P><P>:smileygrin:</P></BODY></HTML> Mon, 01 Oct 2012 05:23:37 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption/m-p/27147#M19813 HartkentlyNua 2012-10-01T05:23:37Z https://live.paloaltonetworks.com/t5/general-topics/decryption/m-p/27148#M19814 <HTML><HEAD></HEAD><BODY><P class="sfdc_richtext" id="j_id0:j_id6:j_id7:j_id239:j_id241:1:j_id242:j_id243j_id0:j_id6:j_id7:j_id239:j_id241:1:j_id242:j_id243_00N70000002b7LP_div" style="color: #000000; font-family: Arial, Helvetica, sans-serif;">Hello,</P><P class="sfdc_richtext" style="color: #000000; font-family: Arial, Helvetica, sans-serif;"></P><P class="sfdc_richtext" style="color: #000000; font-family: Arial, Helvetica, sans-serif;"><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif;">Just to add, say for example To block facebook by application in a rule , SSL decryption needs to be configured on the PAN, so that the PAN can proxy the outbound SSL sessions and get visibility into the traffic enabling it to identify the application correctly as 'facebook' and enforce app-ID based rules.</SPAN></P><P></P><P>Hence, without SSL decryption the app-id in traffic logs will appear as 'ssl' for the facebook session. Once SSL decryption is configured, the app-id in monitor logs should show as 'facebook'.</P><P></P><P>A technote on how to configure SSL decryption can be found at :<BR /><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-1412" style="color: #015ba7;" target="_blank">https://live.paloaltonetworks.com/docs/DOC-1412</A></P><P></P><P>Let me know if that helps.</P><P></P><P>Regards</P><P>Parth</P></BODY></HTML> Mon, 01 Oct 2012 06:45:05 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption/m-p/27148#M19814 ppatel 2012-10-01T06:45:05Z https://live.paloaltonetworks.com/t5/general-topics/decryption/m-p/27149#M19815 <HTML><HEAD></HEAD><BODY><P>Didnt some appid's look in the CN part of the certs being used (or was it the url-filtering that did this?) so the PA could somewhat inspect ssl traffic even if there is no ssl termination (decryption) setup?</P></BODY></HTML> Mon, 01 Oct 2012 19:45:20 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption/m-p/27149#M19815 mikand 2012-10-01T19:45:20Z https://live.paloaltonetworks.com/t5/general-topics/decryption/m-p/27150#M19816 <HTML><HEAD></HEAD><BODY><P>I think it varies by app-id signature. I've created a custom app-id that looks at the cn part of the cert.&nbsp; If a match is present, then the application is called "my custom app" instead of SSL.&nbsp; At that point, I can create a security rule that blocks "my custom app" while still permitting SSL.&nbsp; </P></BODY></HTML> Mon, 01 Oct 2012 20:27:02 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption/m-p/27150#M19816 jvalentine 2012-10-01T20:27:02Z