https://live.paloaltonetworks.com/t5/general-topics/decryption-rule-blocking-traffic-silently/m-p/48876#M35990 <HTML><HEAD></HEAD><BODY><P>I am running PanOS 6.0.3. I have a decryption rule that perfectly works most of the time. However I realized that in some specific situation it silently blocks the traffic. As I am quite new on Palo Alto, I do not know if I am misunderstanding something or if I found a bug.</P><P></P><P>Here follows the exact description:</P><P>1) Global rule decryption all traffic going to internet: working perfectly as shown by cli or in the traffic log</P><P>2) if I try to use the snapchat application on android, the app does not work and failed with a 'connection error'. Removing the decryption rule, make it working</P><P>3) Same issue using dropbox application on an iPad. It should be noted that accessing the dropbox website works with the decryption.</P><P></P><P>Starting from there, I can only imagine that either</P><P>- the version of TLS protocol used is not supported by PANOS 6.0.3, but how to confirm this?</P><P>- there is a bug in the PANOS 6.0.3</P><P>- the certificates shown for the decryption (created by the firewall) are rejected for some reason by the application, but how to confirm this.</P><P></P><P>As a temporary solution, I created a custom URL category with the IP address of the snapchat website (not tested on dropbox). I than use this URL category in a no decrypt rule.This avoid the issue (but remove the benefit of the decryption). It is not perfect as sometimes I need to restart several times the app before the traffic is identified in the correct URL category.</P><P></P><P>Although, this is affecting dropbox and snapchat, I am quite afradi to find more business applications affected by the same issue.</P><P></P><P>Your thoughts will be greatly appreciated.</P><P></P><P>Michel</P></BODY></HTML> Tue, 01 Jul 2014 11:05:41 GMT michel.nolf 2014-07-01T11:05:41Z https://live.paloaltonetworks.com/t5/general-topics/decryption-rule-blocking-traffic-silently/m-p/48876#M35990 <HTML><HEAD></HEAD><BODY><P>I am running PanOS 6.0.3. I have a decryption rule that perfectly works most of the time. However I realized that in some specific situation it silently blocks the traffic. As I am quite new on Palo Alto, I do not know if I am misunderstanding something or if I found a bug.</P><P></P><P>Here follows the exact description:</P><P>1) Global rule decryption all traffic going to internet: working perfectly as shown by cli or in the traffic log</P><P>2) if I try to use the snapchat application on android, the app does not work and failed with a 'connection error'. Removing the decryption rule, make it working</P><P>3) Same issue using dropbox application on an iPad. It should be noted that accessing the dropbox website works with the decryption.</P><P></P><P>Starting from there, I can only imagine that either</P><P>- the version of TLS protocol used is not supported by PANOS 6.0.3, but how to confirm this?</P><P>- there is a bug in the PANOS 6.0.3</P><P>- the certificates shown for the decryption (created by the firewall) are rejected for some reason by the application, but how to confirm this.</P><P></P><P>As a temporary solution, I created a custom URL category with the IP address of the snapchat website (not tested on dropbox). I than use this URL category in a no decrypt rule.This avoid the issue (but remove the benefit of the decryption). It is not perfect as sometimes I need to restart several times the app before the traffic is identified in the correct URL category.</P><P></P><P>Although, this is affecting dropbox and snapchat, I am quite afradi to find more business applications affected by the same issue.</P><P></P><P>Your thoughts will be greatly appreciated.</P><P></P><P>Michel</P></BODY></HTML> Tue, 01 Jul 2014 11:05:41 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-rule-blocking-traffic-silently/m-p/48876#M35990 michel.nolf 2014-07-01T11:05:41Z https://live.paloaltonetworks.com/t5/general-topics/decryption-rule-blocking-traffic-silently/m-p/48877#M35991 <HTML><HEAD></HEAD><BODY><P>Hello Michael.</P><P></P><P>Issue can be resolved with decryption profile, however there might be other ways to do it.</P><P></P><P>Its possible to configure decryption profile with various option. one of them is if firewall is not able to decrypt traffic than it can pass it encrypted.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Tue, 01 Jul 2014 14:38:00 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-rule-blocking-traffic-silently/m-p/48877#M35991 hshah 2014-07-01T14:38:00Z https://live.paloaltonetworks.com/t5/general-topics/decryption-rule-blocking-traffic-silently/m-p/48878#M35992 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>As you know many application are not able to be decrypted by the palo (and globally).</P><P>Please refer to <A _jive_internal="true" href="https://live.paloaltonetworks.com/message/27941#27941" title="https://live.paloaltonetworks.com/message/27941#27941">https://live.paloaltonetworks.com/message/27941#27941</A></P><P>Seem this list is not really .... complete</P><P>Hope help</P><P></P><P>V.</P></BODY></HTML> Tue, 01 Jul 2014 17:01:05 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-rule-blocking-traffic-silently/m-p/48878#M35992 VinceM 2014-07-01T17:01:05Z https://live.paloaltonetworks.com/t5/general-topics/decryption-rule-blocking-traffic-silently/m-p/48879#M35993 <HTML><HEAD></HEAD><BODY><P>Thanks to both of you.</P><P></P><P>Michel</P></BODY></HTML> Wed, 02 Jul 2014 08:10:12 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-rule-blocking-traffic-silently/m-p/48879#M35993 michel.nolf 2014-07-02T08:10:12Z https://live.paloaltonetworks.com/t5/general-topics/decryption-rule-blocking-traffic-silently/m-p/48880#M35994 <HTML><HEAD></HEAD><BODY><P>Hello Michel,</P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt; line-height: 1.5em;">There are some applications that do not play nice when decryption is turned on, on the PA firewall. </SPAN><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt; line-height: 1.5em;">Here is a document with a list of the applications we've already identified that should be excluded from decryption: </SPAN><A href="https://live.paloaltonetworks.com/docs/DOC-1423">List of Applications Excluded from SSL Decryption</A></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Thanks</P></BODY></HTML> Wed, 02 Jul 2014 09:29:46 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-rule-blocking-traffic-silently/m-p/48880#M35994 HULK 2014-07-02T09:29:46Z https://live.paloaltonetworks.com/t5/general-topics/decryption-rule-blocking-traffic-silently/m-p/48881#M35995 <HTML><HEAD></HEAD><BODY><P>Hello Hulk,</P><P></P><P>I did already found that list thanks to the links inside the previous posts. It just makes me a little bit more confused. E;g. ms-update is considered as having issues...I do not have any with that applications. Is it due to the 6.0.3 version? given the fact that 6.0.3 is supporting more recent TLS version. It could be...</P><P></P><P>Michel</P></BODY></HTML> Wed, 02 Jul 2014 09:48:35 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-rule-blocking-traffic-silently/m-p/48881#M35995 michel.nolf 2014-07-02T09:48:35Z https://live.paloaltonetworks.com/t5/general-topics/decryption-rule-blocking-traffic-silently/m-p/48882#M35996 <HTML><HEAD></HEAD><BODY><P>Hello Michel,</P><P></P><P>A packet capture would give you more insight about the SSL handshake.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 02 Jul 2014 09:57:13 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-rule-blocking-traffic-silently/m-p/48882#M35996 HULK 2014-07-02T09:57:13Z