topic SSL Inbound Inspection in General Topics

SSL Inbound Inspection

Shayan — Thu, 13 Feb 2014 08:51:18 GMT

Hi,

I have setup a decryption policy to decrypt inbound SSL traffic for the Exchange web mail server. However, when I check the logs I see only some traffic as decrypted and some arnn't. Refer below screenshots,

Why isn't the policy not decrypting all the traffic?

I'm trying to decommission the Microsoft ISA server used as reverse proxy for Exchnage Web mail. Is it safe to use inbound SSL inspection and NAT the traffic into the internal exchnage sever?

Shayan

Re: SSL Inbound Inspection

pulukas — Fri, 14 Feb 2014 02:33:36 GMT

This seems normal to me. In the same way that not every thing is fully inspected in normal traffic streams but goes through the fast path, ssl decryption is similarly situated. Enough needs to be seen for app-id and threat scans to do their job and the rest is fast path through.

I'm not sure I follow your comment on MS ISA server. The Palo Alto is a firewall, NOT a reverse proxy. In some ways a reverse proxy is better but in other ways the Palo Alto inspections are a big improvement.

If you want to reverse proxy and/or load balance the traffic you would still need another appliance to replace the ISA. This would sit behind the Palo Alto so all the inspection and firewall protection would be in place, but the traffic is buffered by the reverse proxy towards the servers.

Re: SSL Inbound Inspection

kdd — Fri, 14 Feb 2014 13:54:26 GMT

maybe one of the clients used an unsupported SSL chiper suite because they are selected by clients

Re: SSL Inbound Inspection

mbutt — Fri, 14 Feb 2014 17:28:55 GMT

Below document show the support cipher suite.

Which Ciphers are Supported by PAN-OS and Panorama?

Like kdd mentioned it is possible it that they used unsupported cipher suite.

Hope this helps.

Thanks

Numan

Re: SSL Inbound Inspection

Shayan — Sat, 15 Feb 2014 06:01:40 GMT

Hi,

Thanks for the response. It make sense. I'm not specifically looking for reverse proxy solution. If I can achive similar security by SSL inspection that would be suffient.

Re: SSL Inbound Inspection

PanIst — Thu, 21 Jul 2016 19:55:32 GMT

Hi,

I have the same situation with inbound inspection.

same source and destination ip addresses on logs but sometimes ssl(not-decrypted), sometimes web-browsing(decrypted)

what can be the reason for that ?

Regards

Re: SSL Inbound Inspection

BPry — Thu, 21 Jul 2016 20:41:10 GMT

The same thing is still true today; PAN doesn't support the full cipher suite, additonally as long as the PA can get the applicaiton ID and do a threat scan it lets other traffic through on the fast path becuase of processing restrictions. It's also important to note that if you are using a smaller device it's very possible that you are hitting the session limit on your PA, anything over that limit will not be decrypted because the PA can not spare the system resources required to process the request and keep the traffic flowing through the firewall. Without a little more back story and actually looking at the logs on the device it's pretty impossible to say if you are encountering normal behavior or if something with your decryption policy doesn't sit right with your setup.