topic Re: Current situation with Dropbox? in General Topics

Current situation with Dropbox?

cryptochrome — Sun, 02 Jun 2013 15:29:27 GMT

Hi,

what is the current "state" with PAN firewalls when it comes to decrypting Dropbox traffic? I found a lot of threads on the forum, some with contradicting information. It was said that Dropbox was put on an internal ssl-exclude list so the firewall wouldn't decrypt it, in a later post it was said it has been removed from the list again. Generally, the information is quite old. In yet another post it was suggested to put *.dropbox.com into the ssl-exclude list manually. Confusing....

I tried decrypting Dropbox but I failed. The Dropbox client reports it is unable to establish a secure connection, so I figure there are still issues? What is the current situation? Can Dropbox be decrypted? If not, what is the proposed way of excluding it (custom URL category with *.dropbox.com? put *.dropbox.com in the ssl-exclude-cert list?)?

Thanks

Re: Current situation with Dropbox?

mikand — Sun, 02 Jun 2013 17:44:05 GMT

There is a command (which I forgot) you can run in the CLI to see the current exclude list.

Regarding dropbox the dropbox client can be decrypted HOWEVER it seems that dropbox is using preloaded certificates (similar to windowsupdate) which gives that it will refuse to work when decrypted on the road (because the cert which is being sent to the client is not the real dropbox cert but the PA cert used for decryption).

The decryption on the other hand works if using a webbrowser to reach your dropbox account.

In order to make the dropbox client to work you must exclude the dropbox cert from being terminated. The downside of this is of course that the files up/downloaded to/from dropbox wont be inspected by the PA antivirus engine (nor the filetype engine etc or logged for that matter).

It would be great if the dropbox client could accept the CA list available for the client (or for that matter manually include the CA as a trusted CA you use for decryption) - what does Dropbox say when you contact them regarding this issue?

Re: Current situation with Dropbox?

VinceM — Mon, 03 Jun 2013 09:37:37 GMT

Hi,

Command need to verify if the cert have been excluded:

show system setting ssl-decrypt exclude-cache

with reason:

App_unsupported

Cert_Unsupported

SSL_Unsupported

Refer to this docs can help 🙂 =>https://live.paloaltonetworks.com/docs/DOC-1423

Re: Current situation with Dropbox?

cryptochrome — Tue, 04 Jun 2013 06:47:33 GMT

Thanks guys. However, my questions remain. If Dropbox client can not be decrypted, what is the proper way of excluding it? See my opening post. It used to be on the internal exclude-list but that doesn't seem to be true anymore. Why was it removed? How do you exclude it properly?

Re: Current situation with Dropbox?

mikand — Tue, 04 Jun 2013 08:42:46 GMT

First of all, is it just the dropbox client you want to bypass or anything that has to do with dropbox?

Because if its the later then you can do this exclude in the GUI where you setup the decrypt rules (dont ssl terminate for *.dropbox.com). Also look in the logs if dropbox is using some other domains today.