topic Re: Exclude iTunes/App Store from decryption in General Topics

Exclude iTunes/App Store from decryption

carmp3fan — Sat, 27 Oct 2012 04:21:31 GMT

I am using SSL decryption for all outbound traffic. Prior to the decryption rule I have a rule to attempt to exclude iTunes and App Store traffic from decryption. The rule seems to be working, but the App Store fails with "NSURLErrorDomain error -1012". When I turn off all decryption the App Store works.

My rule is setup for no-decrypt from any source to the following addresses:

albert.apple.com

ax.init.itunes.apple.com

ax.itunes.com

deimos3.apple.com

gs.apple.com

guzzoni.apple.com

itunes.apple.com

p22-buy.itunes.apple.com

phobos.apple.com

se.itunes.apple.com

su.itunes.apple.com

I have URL filtering enabled, but everything is set to alert instead of block (excluding a few select categories like malware, online gambling, spam, phishing, etc). I also have a generic Trust->Untrust Accept security rule.

Anybody have any ideas how to get this to work without excluding the source address from decryption?

Re: Exclude iTunes/App Store from decryption

gswcowboy — Sat, 27 Oct 2012 05:35:48 GMT

based on config info provided, it's working for me. I added a couple of destination addresses though as shown below. Might need a live debug session.

admin@renato(active)> show running decryption-policy

rule1 {

from L3_Trust;

source any;

source-region any;

to L3_Untrust;

destination [ 140.174.24.26 140.174.24.35 17.149.240.70 17.151.228.4 17.151.36.30 17.154.66.18 17.154.66.38 184.27.226.217 184.27.227.205 184.27.235.164 80.12.

98.25 80.12.98.27 80.12.98.51 ];

destination-region any;

user any;

category any;

action no-decrypt;

}

Decrypt {

from L3_Trust;

source any;

source-region any;

to L3_Untrust;

destination any;

destination-region any;

user any;

category any;

action decrypt;

}

admin@renato(active)> show session all filter ssl-decrypt yes source 172.16.20.17

No Active Sessions

admin@renato(active)> show session all filter source 172.16.20.17

--------------------------------------------------------------------------------

ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])

Vsys Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

9658 dns ACTIVE FLOW NS 172.16.20.17[64517]/L3_Trust/17 (public ip [2281])

vsys1 4.2.2.2[53]/L3_Untrust (4.2.2.2[53])

11341 itunes-base ACTIVE FLOW NS 172.16.20.17[49359]/L3_Trust/6 (public ip[5175])

vsys1 69.22.148.208[80]/L3_Untrust (69.22.148.208[80])

11666 dns ACTIVE FLOW NS 172.16.20.17[63454]/L3_Trust/17 (public ip[6765])

vsys1 4.2.2.2[53]/L3_Untrust (4.2.2.2[53])

11652 itunes-base ACTIVE FLOW NS 172.16.20.17[49360]/L3_Trust/6 (public ip[40988])

vsys1 69.22.148.208[80]/L3_Untrust (69.22.148.208[80])

9880 itunes-appstore ACTIVE FLOW NS 172.16.20.17[49356]/L3_Trust/6 (public ip[46814])

vsys1 69.22.148.203[80]/L3_Untrust (69.22.148.203[80])

11835 itunes-base ACTIVE FLOW NS 172.16.20.17[49358]/L3_Trust/6 (public ip[45718])

vsys1 184.27.226.217[443]/L3_Untrust (184.27.226.217[443])

12169 itunes-base ACTIVE FLOW NS 172.16.20.17[49357]/L3_Trust/6 (public ip[7797])

vsys1 184.27.226.217[443]/L3_Untrust (184.27.226.217[443])

Re: Exclude iTunes/App Store from decryption

mikand — Sat, 27 Oct 2012 07:06:16 GMT

Cant you just setup a custom category like iTunes_and_App_store containing:

albert.apple.com

ax.init.itunes.apple.com

ax.itunes.com

deimos3.apple.com

gs.apple.com

guzzoni.apple.com

itunes.apple.com

p22-buy.itunes.apple.com

phobos.apple.com

se.itunes.apple.com

su.itunes.apple.com

and then setup your rules like:

rule1 {

from L3_Trust;

source any;

source-region any;

to L3_Untrust;

destination any;

destination-region any;

user any;

category iTunes_and_App_store;

action no-decrypt;

}

rule2 {

from L3_Trust;

source any;

source-region any;

to L3_Untrust;

destination any;

destination-region any;

user any;

category any;

action decrypt;

}

Re: Exclude iTunes/App Store from decryption

carmp3fan — Tue, 30 Oct 2012 03:16:14 GMT

No success using a custom URL category. Even logically that wouldn't work because the URLs are encrypted and would have to be decrypted it determine the URL. I could be misunderstanding the intricacies of the Palo Alto.

Re: Exclude iTunes/App Store from decryption

carmp3fan — Tue, 30 Oct 2012 03:19:33 GMT

Are you able to update an app with your setup? Even if I can pull up the list of apps to update, I cannot update them.

Apple {

from any;

source any;

source-region any;

to any;

destination [ 17.171.27.65 63.235.20.186 63.235.20.195 63.235.20.163 63.235.20.192 63.235.20.170 63.235.20.177 17.171.36.30 17.135.64.4 184.30.2.217 17.154.66.18 17.154.66.38 184.30.2.217 184.30.2.217 ];

destination-region any;

user any;

category any;

action no-decrypt;

}

"SSL Decryption" {

from Trust;

source any;

source-region any;

to Untrust;

destination any;

destination-region any;

user any;

category any;

action decrypt;

}

Re: Exclude iTunes/App Store from decryption

mikand — Tue, 30 Oct 2012 06:35:55 GMT

So one cant use SSL-decryption for itunes and appstore traffic?

Other than that I think the url-filtering will also take a look at the CN part of the cert being used so even if it cannot decrypt the traffic (like the case of windows update) it can still (sort of) figure out the url being used.

Re: Exclude iTunes/App Store from decryption

carmp3fan — Thu, 08 Nov 2012 01:52:17 GMT

I have yet to figure out how to get this working. What can I provide you that might help figure this out?

Re: Exclude iTunes/App Store from decryption

mikand — Thu, 08 Nov 2012 04:14:18 GMT

A fugly solution might be to setup address objects containing the FQDN's mentioned earlier:

albert.apple.com

ax.init.itunes.apple.com

ax.itunes.com

deimos3.apple.com

gs.apple.com

guzzoni.apple.com

itunes.apple.com

p22-buy.itunes.apple.com

phobos.apple.com

se.itunes.apple.com

su.itunes.apple.com

Tricky part here is how PA handles multiple ip addresses for a particular FQDN but also if the same ip's are handling other domains aswell (which would mean that traffic to/from those wouldnt be decrypted aswell).

When you setup these FQDN's as address objects, meaning create an address object for example named "FQDN_albert.apple.com" which in the field where you normally write the ip you write "albert.apple.com", you can use these as a "dont decrypt" rule.

Then in security rules use the same address objects as dstip along with proper appid (apple-appstore, apple-update, itunes-appstore or which appid's might be identified).

Also combine the above with setting an url filter for *.itunes.com and *.apple.com or preferrely the same list as the FQDN's above (which when decryption is not in action would mean that it at least looks at the CN part of the cert being used).

Or tell your users to updated their apple devices elsewhere 😉

Re: Exclude iTunes/App Store from decryption

essnet — Thu, 08 Nov 2012 14:43:47 GMT

Did you try to exclude *.apple.com ?