https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-using-incorrect-security-policy/m-p/8937#M6533 <HTML><HEAD></HEAD><BODY><P>Here you go.&nbsp; The rules work fine with no decryption but when it is turned on for some reason it jumps over "Netit".</P><P></P><P><IMG alt="netit.png" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/18946_netit.png" style="height: 19px; width: 620px;" /></P><P></P><P><IMG alt="unauth.png" class="image-1 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/18956_unauth.png" style="height: 10px; width: 620px;" /></P></BODY></HTML> Thu, 02 Apr 2015 13:06:39 GMT ClintL 2015-04-02T13:06:39Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-using-incorrect-security-policy/m-p/8935#M6531 <HTML><HEAD></HEAD><BODY><P>Hello all,</P><P></P><P>I am testing out SSL decryption on a few categories.&nbsp; For now I am using a system generated certificate and it works in decrypting the categories I have selected.&nbsp; The problem is that once it is decrypted, it doesn't use the proper security policy.&nbsp; We have AD integration and URL filtering set up between certain groups.&nbsp; My user ID has elevated browsing privileges but after the session is decrypted it uses the policy I have set up when the firewall doesn't know who the user is so I am getting blocked.&nbsp; Any idea why it wouldn't use the correct security policy when the log view and blocked page are showing my user ID?</P><P></P><P><IMG __jive_id="18896" alt="ssldecrypt.png" class="jive-image image-2" src="https://live.paloaltonetworks.com/legacyfs/online/18896_ssldecrypt.png" style="height: 379px; width: 620px;" /></P><P><IMG __jive_id="18877" alt="ssldecryptblocked.png" class="image-1 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/18877_ssldecryptblocked.png" style="height: 122px; width: 620px;" /></P></BODY></HTML> Tue, 31 Mar 2015 18:21:18 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-using-incorrect-security-policy/m-p/8935#M6531 ClintL 2015-03-31T18:21:18Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-using-incorrect-security-policy/m-p/8936#M6532 <HTML><HEAD></HEAD><BODY><P>Hi Clint</P><P></P><P>Can you also include a screenshot of the security policy?</P><P>The security policies are processed top to bottom with the first match (not "best" match) being the rule that is used to pass traffic, so if your top rule does not have a source user restriction this would be normal.</P><P>have you set that rule to use source user "unknown" or "any" ?</P><P></P><P></P><P>regards</P><P>Tom</P></BODY></HTML> Thu, 02 Apr 2015 12:28:46 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-using-incorrect-security-policy/m-p/8936#M6532 reaper 2015-04-02T12:28:46Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-using-incorrect-security-policy/m-p/8937#M6533 <HTML><HEAD></HEAD><BODY><P>Here you go.&nbsp; The rules work fine with no decryption but when it is turned on for some reason it jumps over "Netit".</P><P></P><P><IMG alt="netit.png" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/18946_netit.png" style="height: 19px; width: 620px;" /></P><P></P><P><IMG alt="unauth.png" class="image-1 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/18956_unauth.png" style="height: 10px; width: 620px;" /></P></BODY></HTML> Thu, 02 Apr 2015 13:06:39 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-using-incorrect-security-policy/m-p/8937#M6533 ClintL 2015-04-02T13:06:39Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-using-incorrect-security-policy/m-p/8938#M6534 <HTML><HEAD></HEAD><BODY><P>My guess is that the app is now "web-browsing" due to decryption, but the port is still 443. You're using application-default as the service for the first rule (and I'm assuming "web-browsing" is included in that filter) so that would only match if web was on 80, but I'm guessing that you have port 443 included in the "service-web" service group on the other rule, and "web-browsing" included in "web-services".</P></BODY></HTML> Thu, 02 Apr 2015 15:27:11 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-using-incorrect-security-policy/m-p/8938#M6534 rfrazier 2015-04-02T15:27:11Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-using-incorrect-security-policy/m-p/8939#M6535 <HTML><HEAD></HEAD><BODY><P>I think you may be correct, sir.&nbsp; I'll give it a try here shortly and let you know.</P><P></P><P>Edit: That was it.&nbsp; Thanks!</P></BODY></HTML> Thu, 02 Apr 2015 15:28:49 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-using-incorrect-security-policy/m-p/8939#M6535 ClintL 2015-04-02T15:28:49Z