https://live.paloaltonetworks.com/t5/general-topics/how-to-ssl-bypass-based-on-application/m-p/176574#M55203 <P>This seems like an awesome solution. Any insight into whether it will work for PAN OS 7.1?</P> Thu, 14 Sep 2017 16:18:58 GMT jdrugan 2017-09-14T16:18:58Z https://live.paloaltonetworks.com/t5/general-topics/how-to-ssl-bypass-based-on-application/m-p/170692#M54079 <P>Hello,</P><P>&nbsp;</P><P>I wanted to share a solution I have implemented recntly.</P><P>&nbsp;</P><P>Bypassing SSL Decryption based on applications was a request I had from many customers.</P><P>I know there is an FR for that. but until then, with PAN-OS 8, it is possible to achieve differently.</P><P>&nbsp;</P><P>I had a specific scenario where one of my customers had to connect to his customer's Pulse Secure SSL VPN device (collaboration feature).&nbsp;</P><P>When using SSL Decryption on his PAN NGFW, the connection was failing and he had to manualy add the IP address of his customer to a bypass rule.</P><P>when you have hundreds of customers using that solution, and you need to add their IP address manualy, it is becoming problematic.</P><P>&nbsp;</P><P>&nbsp;</P><P>The idea is, dynamically adding the destination address to an SSL Bypass rule.</P><P>&nbsp;</P><P>Here is how it goes...</P><P>&nbsp;</P><P>Create a tag - Objects --&gt; Tags:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tag.png" style="width: 406px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/10711iFACF40686249C7DE/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="tag.png" alt="tag.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>Create a Dynamic Address Group - Objects --&gt; Address Groups</P><P>Add the previously created tag's name as a match</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dynamic address group.png" style="width: 465px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/10713i30A918A6404F6342/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="dynamic address group.png" alt="dynamic address group.png" /></span></P><P>Create a decryption rule with the new Address Group object as a destination with a 'no-decrypt' action. (pay attention to rules order)<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bypass rule.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/10712iE3F3A0D81643CCC2/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="bypass rule.png" alt="bypass rule.png" /></span></P><P>Create a Log Forwarding profile with a filter that will catch a specific application ('secure-access' for my scenario). Use Traffic as the log type<SPAN>.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="log forwarding.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/10715i759FEE96F48D9777/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="log forwarding.png" alt="log forwarding.png" /></span></P><P>&nbsp;</P><P>Add a Built-in Action to tag the destination address</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="built-in action.png" style="width: 480px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/10714i98DBE90A037C24F2/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="built-in action.png" alt="built-in action.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>Add the Log forwarding profile to the security rule that permitted the desired application originally.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="security rule.png" style="width: 699px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/10717iED043CD82C8A3EF6/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="security rule.png" alt="security rule.png" /></span></P><P>&nbsp;</P><P>Commit</P><P>Access the desired website (application), and verify the address has successfully been dynamically registered to the dynamic address group (click 'more'), and successfully SSL Bypassed.</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Verify dyn address grp.png" style="width: 404px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/10716i5AC4D7F153AF0B74/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Verify dyn address grp.png" alt="Verify dyn address grp.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Please share your thoughts..</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 09 Aug 2017 09:59:17 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-ssl-bypass-based-on-application/m-p/170692#M54079 Ozamir 2017-08-09T09:59:17Z https://live.paloaltonetworks.com/t5/general-topics/how-to-ssl-bypass-based-on-application/m-p/170724#M54087 <P>Another really nice and creative way of using the awesome Log Forwarding Profile feature in PAN-OS 8!</P> Wed, 09 Aug 2017 10:41:30 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-ssl-bypass-based-on-application/m-p/170724#M54087 Remo 2017-08-09T10:41:30Z https://live.paloaltonetworks.com/t5/general-topics/how-to-ssl-bypass-based-on-application/m-p/176574#M55203 <P>This seems like an awesome solution. Any insight into whether it will work for PAN OS 7.1?</P> Thu, 14 Sep 2017 16:18:58 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-ssl-bypass-based-on-application/m-p/176574#M55203 jdrugan 2017-09-14T16:18:58Z