topic Re: PA-VM not recognizing SSL and denying traffic in General Topics

PA-VM not recognizing SSL and denying traffic

FarzanaMustafa — Fri, 25 Jan 2019 03:42:54 GMT

Hello,

We are implementing SSL Decryption to PA.

Because of this forcepoint agent (that is installed on theworkstation), the return traffic from the Internet (ie: facebook.com, etc) will be denied by the firewall as the SSL certificate has been changed by forcepoint and it is considered untrusted by the firewall.

Do you have any recommendation for this kind of setup?

Re: PA-VM not recognizing SSL and denying traffic

reaper — Fri, 25 Jan 2019 12:53:46 GMT

Is the forcepoint certificate selfsigned?

you could generate a certificate from the same rootCA as the one you're using for decryption

Re: PA-VM not recognizing SSL and denying traffic

OtakarKlier — Fri, 25 Jan 2019 17:56:24 GMT

Hello,

Also if you are using Applications to identify traffic, you will need to specify the 'Services/Ports' as well.

i.e.

ssl is port 443 and web-browsing is port 80. With ssl decryption enabled, you will now see web-browsing traffic over port 443.

So you now have to adjust some of your policies as follows:

Check the logs and see whay the traffic is getting blocked.

Hope this helps!

Re: PA-VM not recognizing SSL and denying traffic

gwesson — Fri, 25 Jan 2019 19:42:36 GMT

To make it work, just take the CA certificate that your forcepoint system is using to create the certs for users.

Device tab > Certificate Management > Certificates > Import. Select the forcepoint CA's public key. Once that's done, click the cert name in the UI and click the "Trusted Root CA" checkbox. Hit ok, then commit.

The firewall should trust any future connections from that cert.

Re: PA-VM not recognizing SSL and denying traffic

FarzanaMustafa — Tue, 29 Jan 2019 02:47:34 GMT

Hi @gwesson @OtakarKlier @reaper,

Thank you for the responses. We have been talking to Forcepoint regarding this. IF it is possible then the problem solved.

The issue is whether forcepoint will allow for installation of SSL cert. If that’s not possible what solution do we have?

Another solution is to bypass certain URL from using forcepoint. This is possible from Forcepoint perspective as it allows you to bypass certain URL (using domain name and wildcards).

However, this is not ideal solution.

Re: PA-VM not recognizing SSL and denying traffic

OtakarKlier — Tue, 29 Jan 2019 18:16:58 GMT

Hello,

What about not ssl decrypting the forcepoint traffic?

Just a thought.

Re: PA-VM not recognizing SSL and denying traffic

FarzanaMustafa — Tue, 29 Jan 2019 21:31:23 GMT

Hi @OtakarKlier

We implemented SSL decryption to certain URL category. It didn’t work due to the workstation has forcepoint agent.

We tried the same to workstation that has no forcepoint agent and SSL decryption work fine.

If there’s forcepoint agent, forcepoint will intercept the traffic and perform its own encryption and then contact forcepoint cloud service to perform URL Filtering anf malware scanning before passing the traffic to destination.

The return traffic follows the same path.

In summary, firewall could not perform SSL Decryption due to it thought the client didn’t have SSL certificate.

Re: PA-VM not recognizing SSL and denying traffic

FarzanaMustafa — Wed, 30 Jan 2019 02:43:46 GMT

Hi all,

Closing this thread, as TAC has suggested a workaround for the time being...i.e. disable "block session with untrusted issuers " in decryption profile. FW will not deny the traffic even if we don't trust forcepoint CA and forward certificate to client.