topic Re: Disabling SSL Decryption not working in General Topics

Disabling SSL Decryption not working

JohnSysAd — Mon, 18 Dec 2017 11:28:55 GMT

Hey everybody!

After watching all tutorials and reading all PAN's walkthroughts, I still fail to disable the SSL Inspection (decryption) on all of the outgoing (or any..) traffic.

This is my decryption profile:

*Rest tabs are default.

This is my Decryption Policy:

*My Security Policy is just any,any,allow (nothing special) and my traffic is never blocked - as I expect.

At this point, I expect every https request of any website to be not inspected. Meaning, now if I open up my Chrome and go to (lets say) https://www.wikipedia.org/ and check the Security Overview (F12 -> Security) - I should see the 'real' Certificate of this website. Same result should apply to the alternative of using openssl command for requesting https websites instead of just browing via Browser Software like Chrome. (openssl s_client -connect wikipedia.org:443)

The issue:

While doing both of the described above, I still get the PAN's Certificate (*issued by PAN) where I try not to apply the decryption.

Capture:

using openssl:

I even explicitly excluded www.wikipedia.org and it did not help:

What am I missing? Yhelp 😄

Re: Disabling SSL Decryption not working

reaper — Mon, 18 Dec 2017 11:57:55 GMT

Hi @JohnSysAd

SSL decryption enables a proxy service, you can tell that proxy service to decrypt inbound or outbound, or not decrypt

But since your policy still matches a proxy rule, the session will still be handed off to the proxy: so if you don't want ssl decryption, don't create a decryption policy

If you want to bypass decryption on some url categories (finance may not be allowed by law depending on your sector for example) while stil ldecryption everything else, you can create a no-decrypt policy to not inspect those sessions

hope this helps

Re: Disabling SSL Decryption not working

JohnSysAd — Mon, 18 Dec 2017 12:10:09 GMT

hey reaper and thanks for the reply.

First, your second suggestion (bypassing specific urls) did not work, i've tried it earlier. That was the reason I generally tried to bypass everything in order to troubleshoot the issue..

Second, I disabled all Decryption Policies and still getting decrypted for some reason.

Cap:

and ofcourse I can still see PAN's Certificate using the F12 on browser / openssl requests for connection on all websites.

In addition, I think I didn't quite understand what u were saying with the proxy service tunneling, and even so, I just did what you suggested.

Did I miss anything again? Do you have another idea?

Thanks again.

Re: Disabling SSL Decryption not working

reaper — Mon, 18 Dec 2017 12:17:45 GMT

This may be a silly question, but did you commit your changes and clear all ssl sessions?

Disabling decryption does not immediately stop all decryption as it only applies to new sessions created after the commit went through, but old sessions will keep being decrypted until they end

it's perfectly possible for some sessions to remain that are being decrypted minutes or possibly hours (as tcp sessions could live up to 24 hours) after committing

bypassing some categories will not decrypt them, but they will still be handed off to the proxy as long as they match a rule in the decryption policy so you will still see the certificate, but the proxy service will simply not look inside

also, try closing your browser and opening the page fresh to esure the browser hasn't cached the certificate somehow