topic Re: SSL Decryption and Application Default in General Topics

SSL Decryption and Application Default

migration — Wed, 12 Oct 2011 18:25:10 GMT

Best practice for building security policy is. For allow traffic always define the service as application-default, that way you only create session for applications on there default port and only perform application ID for those session this reducing the load on the unit from both a session and application id perspective.

This works great, untill you switch on SSL decryption. At these point all your traffic starts failing as the traffic is now not on the default port of the application but more than likely on port 443. So far the only solution to this problem is to change all the services to all, which increases the session count and increases the load on the app id processor.

What is the solution to this problem? I feel this problem can only be resolved by one of two ways.

1. Set all applications default ports to include 443

2. Allow the ability to define application default and additional services in the service column.

Can someone please advise, is there a feature request for this feature, without it I don't see the SSL decryption functionality to be much more than a tick in the box rather than a feasible solution to larger deployments?

Re: SSL Decryption and Application Default

gswcowboy — Mon, 17 Oct 2011 00:32:50 GMT

With ssl-d enabled, apps with default port of 80 running through the ssl tunnel will not match the app-default for service. Web-Browsing on app-default allowed and ssl on app-default allowed, PAN device will not allow web-browsing over ssl that has been decrypted. You'll need to explicitly allow web-browsing on 443.

-Renato

Re: SSL Decryption and Application Default

jleung — Mon, 17 Oct 2011 05:30:11 GMT

Hi,

Now the simplest workaround is to create a policy to allow web-browsing over port 80 and 443.

That should help.

Regards,

Jones