https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-whitelisting/m-p/40271#M29551 <HTML><HEAD></HEAD><BODY><P><SPAN>If you go to </SPAN><A class="jive-link-external-small" href="http://www.sap.com">http://www.sap.com</A><SPAN> and click the login in the upper right, that brings up a login dialog box. The exact URL it is going to is: </SPAN><SPAN style="color: #1a1a1a; font-size: 10pt; font-family: 'Segoe UI';"><A class="jive-link-external-small" href="https://www.sap.com/content/sapcom/global/usa/en_us/registration/login.html">https://www.sap.com/content/sapcom/global/usa/en_us/registration/login.html</A></SPAN></P><P></P><P>It is important to note, this works fine when you go to that url directly. Only when clicking on the link on the main page does it not work.</P></BODY></HTML> Mon, 21 Apr 2014 18:42:27 GMT bgranholm 2014-04-21T18:42:27Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-whitelisting/m-p/40269#M29549 <HTML><HEAD></HEAD><BODY><P>So, I have just implemented SSL Decryption in our environment and we hit a website that appears to not work properly because of it. (It's sap.com, click on the login link in the upper right.) We don't see any errors in the firewall but the login prompt doesn't come up for us.</P><P></P><P>The question is, is there any way for me to whitelist *.sap.com from SSL Decryption? </P></BODY></HTML> Mon, 21 Apr 2014 17:26:41 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-whitelisting/m-p/40269#M29549 bgranholm 2014-04-21T17:26:41Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-whitelisting/m-p/40270#M29550 <HTML><HEAD></HEAD><BODY><P>Hello Bgranholm,</P><P></P><P>I don't see sap.com over https. If it is not using https, the traffic is not encrypted, hence decryption is not necessary to those websites. </P><P></P><P>In case I do not have the correct URL and you see it over https, you can follow this document to exclude just one URL from being decrypted: <A href="https://live.paloaltonetworks.com/docs/DOC-1241">How to Exclude a Single URL from SSL Decryption</A>.</P><P>This can also be done on GUI by importing the certificate of that website on to the firewall under Device&gt;Certificates&gt;Import and mark it for SSL Exclude.</P><P></P><P>Hope that answers your question.</P><P></P><P>Regards,</P><P>Dileep</P></BODY></HTML> Mon, 21 Apr 2014 18:12:50 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-whitelisting/m-p/40270#M29550 dreputi 2014-04-21T18:12:50Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-whitelisting/m-p/40271#M29551 <HTML><HEAD></HEAD><BODY><P><SPAN>If you go to </SPAN><A class="jive-link-external-small" href="http://www.sap.com">http://www.sap.com</A><SPAN> and click the login in the upper right, that brings up a login dialog box. The exact URL it is going to is: </SPAN><SPAN style="color: #1a1a1a; font-size: 10pt; font-family: 'Segoe UI';"><A class="jive-link-external-small" href="https://www.sap.com/content/sapcom/global/usa/en_us/registration/login.html">https://www.sap.com/content/sapcom/global/usa/en_us/registration/login.html</A></SPAN></P><P></P><P>It is important to note, this works fine when you go to that url directly. Only when clicking on the link on the main page does it not work.</P></BODY></HTML> Mon, 21 Apr 2014 18:42:27 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-whitelisting/m-p/40271#M29551 bgranholm 2014-04-21T18:42:27Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-whitelisting/m-p/40272#M29552 <HTML><HEAD></HEAD><BODY><P>For what it is worth, my Palo Alto Firewall 2050 running 4.1.16 has the same issue that you describe bgranholm.</P><P></P><P>When I click on the login link on sap.com, the link directs me to <SPAN style="color: #222222; font-family: Consolas, 'Lucida Console', monospace; font-size: 12px;"><A class="jive-link-external-small" href="https://accounts.sap.com/saml2/idp/sso/accounts.sap.com">https://accounts.sap.com/saml2/idp/sso/accounts.sap.com</A></SPAN> which is obviously an SAML2 SSO redirect.&nbsp; This never completes.</P><P></P><P>dreputi's method might work depending on where the SSL is failing at.&nbsp; I suppose one could alternatively create a decryption policy rule to exclude decryption of 155.56.59.145, as that is where accounts.sap.com resolves.&nbsp;&nbsp; If this works for you, it would allow you to decrypt other aspects of SAP without decryption the SAML server.&nbsp; I would advise against a FQDN decryption rule and I will mention that this IP will likely change in the future; you will need to keep the decryption rule updated.</P><P></P><P>In either case, you may need to this command from the CLI to make the change effective: <STRONG>debug dataplane reset ssl-decrypt certificate-cache</STRONG>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; And then you may need to restart your Internet browser.</P><P></P><P>Edwin</P></BODY></HTML> Mon, 21 Apr 2014 20:49:01 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-whitelisting/m-p/40272#M29552 EdwinD 2014-04-21T20:49:01Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-whitelisting/m-p/40273#M29553 <HTML><HEAD></HEAD><BODY><P>Here is what we ended up doing based on the recommendations of our SE.</P><P></P><P>We created a custom URL category for whitelisting, Then put a new no-decyrpt SSL policy first which keys on the Custom URL Category.</P><P></P><P>This way, if/when we discover new urls that have issues, we can just add them to the whitelist.</P><P></P><P>Thanks for all your advice/assistance on this!</P></BODY></HTML> Tue, 22 Apr 2014 14:28:40 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-whitelisting/m-p/40273#M29553 bgranholm 2014-04-22T14:28:40Z