topic Re: Can't access dropbox website .PAN does SSL inspection in General Topics

Can't access dropbox website .PAN does SSL inspection

dropboxintegration — Sat, 24 Jun 2017 16:52:39 GMT

Traffic traverse as below

PC(attempting to access dropbox website >Web proxy that does ssl inspection>palo alto firewall that does ssl inspection and forward drop box traffic to>web proxy that does ssl inspection> drop box website.

Symptom: I get dropbox home page but it just hangs at home page and I can't go any further

Dropbox access works when I disable ssl inspection on palo alto firewall..

Can someone please help and advice What changes might be needed on my PAN firewall to get things working

Where exactly on panw I should be looking at and what logging on panw firewall can help me identfy what is going on here?

Note:

1)SSL inspection is a must on my proxy and firewall

2)I am not worried about ssl pinned dropbox thick client but need access to dropbox website

3)Other https website I tested just works fine!!

Re: Can't access dropbox website .PAN does SSL inspection

acc6d0b3610eec313831f7900fdbd235 — Sat, 24 Jun 2017 18:17:26 GMT

Hi @dropboxintegration

Which dropbox App-ID signature are you using in your security rule? Also, which URL Category do you have configured in your SSL inspection rule?

Re: Can't access dropbox website .PAN does SSL inspection

Remo — Sat, 24 Jun 2017 19:55:29 GMT

Hi @dropboxintegration

In addition to @acc6d0b3610eec313831f7900fdbd235's questions, what url categories do you allow? Because dropbox also loads some third party content when you open the website ( https://urlscan.io/result/708a0d7a-6695-4d13-8618-c078dc4d7f94#summary ). It could be if some additional ressources are blocked that the site does nor work properly. (I see a similar behaviour when I connect to dropbox with local adblockers enabled).

Regards,

Remo

PS: Do you really decrypt-encrypt-decrypt-encrypt-decrypt-encrypt (3 times tls decryption) all the encrypted sessions?

Re: Can't access dropbox website .PAN does SSL inspection

dropboxintegration — Sun, 25 Jun 2017 16:24:14 GMT

Thanks @ Willian @1vsys_remo!
Good question
Which dropbox App-ID signature are you using in your security rule?
>I am on proxy side and do not have access to PAN so checking with firewall admins and will post.Is there a specific App-id signature we should be using in PAN for dropbox policy.Looks like PAN OS maintain a list of application in default no-decrypt list and dropbox isn't there in the list.

https://live.paloaltonetworks.com/t5/Configuration-Articles/List-of-Applications-Excluded-from-SSL-Decryption/ta-p/62201

Are there any special setup required on PAN when we decrypt dropbox app.
Can dropbox app reliably work when pan decrypt traffic(my proxy can perfectly crack browser based dropbox- exception is ssl pinned dropbox thick client which is expected)

Also, which URL Category do you have configured in your SSL inspection rule?
> not sure .I think there is custom URL category configured on PAN with decryption policy that include the domain *.dropbox.com

@1vsys_remo
Do you really decrypt-encrypt-decrypt-encrypt-decrypt-encrypt (3 times tls decryption) all the encrypted sessions?
No we don't for all encrypted traffic but dropbox has to go through this:)..

Re: Can't access dropbox website .PAN does SSL inspection

acc6d0b3610eec313831f7900fdbd235 — Sun, 25 Jun 2017 17:47:43 GMT

Hi @dropboxintegration

Below is an example of the security policy and decryption policy I have running on my lab.

In terms of the URL filtering, you can use either approach.

1. You can allow or alert on the online-storage-and-backup category; however, if you have tight restrictions on users accessing online storage websites, then the next option is the most viable.

2. You can include the wildcard *.dropbox.com into the "Allow List" in the URL filtering profile. With this configuration, even if the online-storage-and-backup category is blocked, the Allow list is evaluated before the other categories.

3. The third option is the one you mentioned where, you can create a custom URL filtering category, by basicaly doing the same thing as option 2 and specifying the dropbox wildcard domain.

In my example below, I am allowing the entire category, but just because it is a Lab. As for the App-ID I am allowing the entire dropbox App-ID tree. Remember, that firewall has different sub-applications serving different purposes. Dropbox App-ID is the parent application, hence everything else under that will be allowed in this policy.

Security Policy:

In my decryption policy, I am also keeping it simple, and decrypting everything except for Financial and health care.

Decryption Policy

Re: Can't access dropbox website .PAN does SSL inspection

it-thomas — Mon, 26 Jun 2017 17:33:57 GMT

If William's post doesnt work, I would highly recommend using the dev tools in Chome which can let you know what resources arent getting through. We recently opened up Box and there were some backend CDNs that we had to whitelist to get it to work. Sometimes there are some JS files running on a CDN where if they dont load it hangs the page, which might be your issue.

Worst comes to worst, looking at a packet capture on both your local system and on the Palo to see if packets are being sent out of order or if things are getting caught up.

Re: Can't access dropbox website .PAN does SSL inspection

dropboxintegration — Mon, 26 Jun 2017 18:53:49 GMT

Thanks Willian and ithomas@lb.com!!

We narrowed down the issue to specific version of IE 11.0.9600 that seems to be messing up dropbox traffic. This works fine with chrome!
May be the har capture from IE or tcpdump from local system would give us some clue why it’s failing.. Any thoughts?

Re: Can't access dropbox website .PAN does SSL inspection

it-thomas — Tue, 27 Jun 2017 17:57:26 GMT

Moving to Chrome does seem to fix a lot of issues, which would make me think that its an issue with the browser and not your network gear.

With Internet Exploder open, hit F12. In that window bring up the Console tab. From there you can load the dropbox page and it should let you know the errors that are happening on the back end. It is possible that a JS file is getting blocked that is specific to IE, or in the event of it auto forwarding, that the HTTP 302 is getting lost somewhere due to being decrypted multiple times.

One way to test would be to bypass decrpytion on one appliance for that website (or a username if possible), see if it resolves the issue, if not disable decrypt the other appliance, see if that resolves. If neither of those resolve the issue, disable on both devices and see if the issue resolves itself.