topic Re: SSL-decryption slow in General Topics

SSL-decryption slow

jochristian — Thu, 21 Jul 2011 11:38:40 GMT

Hello,

So I have tested SSL decryption today, and I made it work. But for some reason some of the webpages that are being decrypted are extremely slow. Facebook and even support.paloaltonetworks.com are two of them.

I exported a CA certificate from our AD and imported it into the PA as described in a document I found on the knowledgebase.

Look at the attached file for my configuration.

One more thing that is not working is the "block" page when I try to download the eicar test virus file via https.

I can see in the monitor/threat that the file is being blocked but I do not get the block page. Works if I open the eicar virus file via http.

Any suggestions on what the problem can be?

This is an PA-500 with sw version 4.0.3

Jo Christian

Re: SSL-decryption slow

lardsa — Fri, 22 Jul 2011 08:22:30 GMT

Hi,

I have a similar install than you, but I don't put URL categories filters in decrypt rules (I left it to 'Any') and it works like a charm.

Also are you using some user identification? May be with a captive portal ?

Re: SSL-decryption slow

ERIKS — Fri, 22 Jul 2011 09:01:08 GMT

@lardsa

I also have a similar setup to yourself, but I've found that SSL decryption can be very slow on some website including the PAN support portal. I've had to put a rule in to not decrypt the effected websites and the performace then returns.

Can anyone from PAN explain why these performance issues are happening and what else (other than not to decrypt them) can be done to fix it.

I've used other web scanning products with SSL decryption and I've not experienced these sort of performance issues before.

Re: SSL-decryption slow

jochristian — Fri, 22 Jul 2011 09:15:37 GMT

@lardsa

Yes I have tried setting the categories filter to "Any", but it's still a problem.
How does your setup work against https://facebook.com? Take minutes for my setup to open it up when ssl decrypt is enabled.

Yes we use user identification (but not captive portal).

Jo Christian

Re: SSL-decryption slow

lardsa — Fri, 22 Jul 2011 09:20:27 GMT

Only website that shows slowness for my users with decryption enabled is Google Mail and only with Chrome (IE & Firefox are ok).

I have a support ticket opened for that.

Re: SSL-decryption slow

jochristian — Fri, 22 Jul 2011 11:53:32 GMT

Ok,

So I tested with IE and it things seems to be abit smoother. I always use Chrome.

But what can be the reason for this?

Btw does the block page work for you when trying to open https://secure.eicar.org/eicar_com.zip ?

If antivirus profile is enabled. I see in the log that the file is blocked but I don't get the webpage.

Chrome just hang trying to load the "page/file".

Work as it should if I try to download the file when not using ssl/https.

Jo Christian

Re: SSL-decryption slow

lardsa — Fri, 22 Jul 2011 13:27:22 GMT

Ok I confirm Block page is not appearing while it does on non SSL one.

Re: SSL-decryption slow

lardsa — Wed, 03 Aug 2011 09:23:22 GMT

Did you retry since 4.0.4 was released ? It has some SSL fixes in release notes ...

Re: SSL-decryption slow

BPERE — Fri, 06 Jul 2012 14:35:16 GMT

Any news about this issue?

Block-Page didn't display if trying to access https webpages .

ex.

http://www.facebook.com --> Block page is displaying

https://www.facebook.com --> No block page is displaying

Im using version 4.1.4

Re: SSL-decryption slow

choff123 — Fri, 06 Jul 2012 16:17:10 GMT

I have the no block page on ssl issue as well
4.0.9 - 4020

Re: SSL-decryption slow

mikand — Sat, 07 Jul 2012 14:18:31 GMT

The Common Name says www.facebook.com so it shouldnt be that.

However Facebook seems to use a new cert issued 2012-06-21 that perhaps for some reason isnt recognized by PA as a visit to Facebook?

Is the blockpage not visible even if you do SSL termiantion (ssl-proxy) in your PA towards your clients (because then the PA can look inside the encrypted traffic and see the actual GET/HEAD request and the URI used there)?

Re: SSL-decryption slow

BPERE — Mon, 09 Jul 2012 08:19:05 GMT

Hi,

I have the same issue with other sites like www.flickr.com. Accessing flickr in http, the block page is displaying and trying to access the same page in https, no block page is displaying. As SSL Termination, I’m using ssl-forward-proxy.

Re: SSL-decryption slow

bnelson — Mon, 09 Jul 2012 12:20:38 GMT

I have experienced the same issue with block pages and https. From the cli run the following commands:

config

set deviceconfig setting ssl-decrypt url-proxy yes

This blocks ssl pages, but shows ip:port and category as any in the traffic log.

Ben

Re: SSL-decryption slow

BPERE — Tue, 10 Jul 2012 08:53:03 GMT

Benjamin,

Blocks ssl pages and display the block page?

Re: SSL-decryption slow

bnelson — Tue, 10 Jul 2012 12:58:58 GMT

@BPERE

Sorry, this is not part of the blocking of the https web page. The blocking is still performed by the URL Filtering engine. It does allow the Palo Alto firewall to display the block page rather than a default browser error page. In the URL filtering log it will display the ip:port rather than https://www.facebook.com.

Ben