https://live.paloaltonetworks.com/t5/general-topics/dealing-with-drop-box/m-p/47204#M34691 <HTML><HEAD></HEAD><BODY><P>Just an update to the discussion thread.</P><P></P><P>Dropbox is currently using a certificate which is not compatible with the PAN&nbsp; firewall (the PAN firewall conforms highly to the SSL RFCs).&nbsp; As a&nbsp; result, Dropbox SSL traffic cannot be decrypted, and its file operations&nbsp; cannot be detected.&nbsp; Dropbox's certificate is&nbsp; added to the ssl-decrypt exclude-cache list. <BR /> <BR />The following is a KP article listing sites which we are unable to perform SSL decryption on, and Dropbox.com is one of them. <BR /> <BR /><SPAN>&lt;</SPAN><A class="jive-link-external-small" href="https://live.paloaltonetworks.com/docs/DOC-1423">https://live.paloaltonetworks.com/docs/DOC-1423</A><SPAN>&gt; </SPAN><BR /> <BR />In general, these sites cannot be decrypted because they deviate&nbsp; from SSL encryption standards in one form or another (i.e. use&nbsp; proprietary encryption, require a specific type of certificate, etc). <BR /> <BR />The status of the Dropbox&nbsp; SSL certificate can be verified by looking at the ssl-decrypt&nbsp; exclude-cache file on the firewall using the following CLI command - it is shown as an unsupported cert: <BR /> <BR />admin@PA-200&gt; show system setting ssl-decrypt exclude-cache | match 199.47.216.171 <BR />1&nbsp;&nbsp;&nbsp; 199.47.216.171:443&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ssl&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 40874&nbsp;&nbsp; CERT_UNSUPPORTED&nbsp;&nbsp;&nbsp; undecided <BR /> <BR />In summary, currently dropbox can be allowed or denied, but cannot selectively allow downloads while blocking uploads.&nbsp; This may change in the future if/when dropbox uses a compatible certificate.</P><P></P><P>Regards,</P><P>Tony</P></BODY></HTML> Wed, 02 May 2012 02:10:02 GMT snowcrash 2012-05-02T02:10:02Z https://live.paloaltonetworks.com/t5/general-topics/dealing-with-drop-box/m-p/47202#M34689 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Can some one help as we are new to this.</P><P></P><P>We want to blook and application call Drop box, Our users use this application to pull data from external networks wich we want to allow but we want to block drop box sharing our data off our network. could some one help me do this?</P></BODY></HTML> Fri, 12 Aug 2011 15:16:15 GMT https://live.paloaltonetworks.com/t5/general-topics/dealing-with-drop-box/m-p/47202#M34689 payntonm 2011-08-12T15:16:15Z https://live.paloaltonetworks.com/t5/general-topics/dealing-with-drop-box/m-p/47203#M34690 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>We can identify dropbox as an app, and you have two options to control it:</P><P></P><P>1. deny all dropbox traffic by policy</P><P>2. allow dropbox, and use file blocking profile to deny file upload out of all of our supported file types (over 50 types now, including common office doc, common compressed file format such as zip and rar, and also encrypted compressed file format such as encrypted rar and zip) for dropbox.</P><P></P><P>Approch 2 should be more suitable to your scenario. Though 100% what you want to do, but should be very close.</P></BODY></HTML> Sat, 13 Aug 2011 05:37:24 GMT https://live.paloaltonetworks.com/t5/general-topics/dealing-with-drop-box/m-p/47203#M34690 jleung 2011-08-13T05:37:24Z https://live.paloaltonetworks.com/t5/general-topics/dealing-with-drop-box/m-p/47204#M34691 <HTML><HEAD></HEAD><BODY><P>Just an update to the discussion thread.</P><P></P><P>Dropbox is currently using a certificate which is not compatible with the PAN&nbsp; firewall (the PAN firewall conforms highly to the SSL RFCs).&nbsp; As a&nbsp; result, Dropbox SSL traffic cannot be decrypted, and its file operations&nbsp; cannot be detected.&nbsp; Dropbox's certificate is&nbsp; added to the ssl-decrypt exclude-cache list. <BR /> <BR />The following is a KP article listing sites which we are unable to perform SSL decryption on, and Dropbox.com is one of them. <BR /> <BR /><SPAN>&lt;</SPAN><A class="jive-link-external-small" href="https://live.paloaltonetworks.com/docs/DOC-1423">https://live.paloaltonetworks.com/docs/DOC-1423</A><SPAN>&gt; </SPAN><BR /> <BR />In general, these sites cannot be decrypted because they deviate&nbsp; from SSL encryption standards in one form or another (i.e. use&nbsp; proprietary encryption, require a specific type of certificate, etc). <BR /> <BR />The status of the Dropbox&nbsp; SSL certificate can be verified by looking at the ssl-decrypt&nbsp; exclude-cache file on the firewall using the following CLI command - it is shown as an unsupported cert: <BR /> <BR />admin@PA-200&gt; show system setting ssl-decrypt exclude-cache | match 199.47.216.171 <BR />1&nbsp;&nbsp;&nbsp; 199.47.216.171:443&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ssl&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 40874&nbsp;&nbsp; CERT_UNSUPPORTED&nbsp;&nbsp;&nbsp; undecided <BR /> <BR />In summary, currently dropbox can be allowed or denied, but cannot selectively allow downloads while blocking uploads.&nbsp; This may change in the future if/when dropbox uses a compatible certificate.</P><P></P><P>Regards,</P><P>Tony</P></BODY></HTML> Wed, 02 May 2012 02:10:02 GMT https://live.paloaltonetworks.com/t5/general-topics/dealing-with-drop-box/m-p/47204#M34691 snowcrash 2012-05-02T02:10:02Z