topic Re: SSL Decryption in General Topics

SSL Decryption

DaniloBarbosa — Mon, 04 Feb 2019 11:17:14 GMT

Hi guys,

Nowadays I am playing with a PA-VM (no license) and decryption policy. Basically there are many articles and that explain how Decryption policy works and how to set it up. I have checked and double checked my setting and I cannot make facebook.com for instance work when I enable the Decryption.

Here are the rules:Decryption RulesSecurity RulesCan you guys see any mistake on my settings?

Cheers

Danilo

Re: SSL Decryption

kiwi — Mon, 04 Feb 2019 11:40:23 GMT

Hi @DaniloBarbosa,

Am I missing something because I don't see you allowing the facebook app in your policy which is what you're trying to achieve in your example ... correct ? I see you only allowing ssl and web-browsing.

Also your policy order seems incorrect as you have a block all rule in front of your allow ssl and web-browsing rule as far as I see it, preventing you from ever hitting your allow rule.

Cheers !

-Kim.

Re: SSL Decryption

DaniloBarbosa — Mon, 04 Feb 2019 20:24:17 GMT

Hi kiwi,

Basically I was using "User ID" before remove the users from user tab and take a screen shot for this post. So the Rule number 3 was blocking Internet access for a specific user and the rule 4 was allowing access to everyone else inside the windows domain. I did remove the users but I forgot to disable rule 3. Check the new screen shot. 😉

Rule 3 disabled and rule 4 allowing HTTP and HTTPS

Another think that I haven't explained. I am allowing full Internet access, but I want to see the Palo decrypting facebook page. So on the Decryption rule 1 (OUTBOUND) I am olny decrypting "social-networking" that included Facebook.

Decryption Solical-networking

The main goal here is just to see the PALO working as Man-in-the-middle, decrypting traffic between user and facebook page.

Cheers

Re: SSL Decryption

gwesson — Mon, 04 Feb 2019 20:35:09 GMT

You will need to remove the "application-default" on that rule, because once the SSL is stripped and the underlying application is seen, it's still on port 443 which is not in the list of default ports on 'web-browsing'.

The logic may seem odd, but it follows this flow:

1. Traffic is identified as SSL when the Client Hello is seen.

2. Decryption starts here, and when the TLS handshake is completed the app-id switches from "SSL" to "Web-browsing".

3. Because the app has changed, it is re-evaluated in security policy. Since the app is web-browsing, but it's not on port 80 as defined in the app, rule 4 will be skipped.

4. The application has no matching rules, so it falls to the Interzone-default which denies the rest of that session.

Re: SSL Decryption

SShnap — Fri, 08 Feb 2019 19:22:00 GMT

Hi @gwesson @DaniloBarbosa @kiwi

I think they should release an application list update, which add working port 443 for web-browsing application.

I also notice that once you decrypt traffic on 443-SSL it becomes 443-web-browsing, so policy rule that allow web-browsing on application-default will not work, because the application-default is 80.

You need to create another policy to allow web-browsing application on 443 port.

Re: SSL Decryption

BPry — Fri, 08 Feb 2019 21:08:01 GMT

@SShnap,

So here's the thing with what you are asking, it breaks the app-id for anyone that isn't decrypting traffic. So say for example the app-id is updated to allow tcp/443 in addition to the standard of tcp/80, for anyone that isn't decrypting traffic seeing web-browsing on tcp/443 would be a concern.

Because of that, the guide for enabling SSL-Decryption specifically calls out the fact that you'll see web-browsing on tcp/443. As you have to actively enable SSL-Decryption, it makes sense to break things for people who are actively enabling a new feature versus breaking things for everybody else.

Re: SSL Decryption

SShnap — Fri, 08 Feb 2019 22:08:24 GMT

@BPry

Thank you for the reply,

So for the users who decrypting the traffic, do we need to create custom application for web-browsing on 443?

Because with the current situation I need to create another policy rule to allow web-browsing on 443.

I think it will be better to create new application like: Secure web-browsing.

Re: SSL Decryption

BPry — Sat, 09 Feb 2019 04:51:46 GMT

@SShnap,

That would be more of a personal preference. If you want to build out a new application signature and create a new app-id for identifying traffic you can certaintly do so; however, with that being said most environments would bypass that and simply allow web-browsing on tcp/443 via a seperate policy.

Re: SSL Decryption

danilo.padula — Mon, 11 Feb 2019 09:06:32 GMT

Hi @gwesson,

I did follow you advice and changes the service from "application-default" to "any" but it did not work.

Here is the Any on service tab for SSL and web-browsing.

SSL with Any on service tab.Then, I enabled the rule 5 (any application) but service TCP/443. Facebook access allowed like picture below. The rule basically says, any application on port 443 (TCP) is allowed.

HTTPS with TCP/443 service only.Another interesting point, the decryption rule is enable and very simple, but the certificate that I am getting is from facebook.com not the self generated by the firewall.

Decryption ruleSSL certificate for decryption rule

The decryption rule is not working because I should see the certificate from the firewall not from facebook. But let's not discuss this issue now, let's go back to the SSL/HTTPS issue.

My goal is create a rule that allow HTTPS (application) on its default port (443) and protocol (TCP) only, any other application on tcp/443 will be blocked or if https on any port that is not 443 will be blocked.

I don't want a generic rule allowing TCP on port 443, that would match any application.

Cheers

Danilo

Re: SSL Decryption

danilo.padula — Mon, 11 Feb 2019 09:07:57 GMT

Hi @SShnap

I will try that. Maybe you gave me the answer and I didn't noticed...lol

Re: SSL Decryption

danilo.padula — Mon, 11 Feb 2019 09:20:16 GMT

@SShnap

Not yet SShnap, I cannot see what I am missing.

Have you created an rule with application web-browsing and service-https that worked?

web-browsing with service-https

Re: SSL Decryption

SShnap — Mon, 11 Feb 2019 16:15:51 GMT

Hi @danilo.padula

Please check the logs if the traffic is being decrypted,

Pay attention, for Facebook site palo alto identify the application as facebook-base that's why it being blocked, for Facebook site you should add facebook-base for allowing it.

See my attachment, regular sites that palo alto identifies applicaiton as web-browsing will be match to that policy rule, if the site uses other application you need to allow that specific application.

Re: SSL Decryption

gwesson — Mon, 11 Feb 2019 19:42:59 GMT

It's still being blocked because you're only allowing 'web-browsing' and 'ssl'. Facebook has a large number of unique app-id definitions depending on what you're doing. From Applipedia:

Start with a rule allowing all apps for yourself, then use the traffic log to see the list of apps seen by the firewall when you hit that rule. Then, you can create a more complete rule to allow only what you want.

Re: SSL Decryption

DaniloBarbosa — Tue, 12 Feb 2019 00:12:26 GMT

Hi @SShnap

I cannot chekc the logs because it is a VM without license. I am testing the solution before invest some money on it.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm2mCAC

Cheers

Re: SSL Decryption

DaniloBarbosa — Tue, 12 Feb 2019 00:13:52 GMT

Hi @gwesson

I thought the main facebook page would pass on the web-browsing rule (without login into facebook), then if I log in all the extra "Apps" would need another rule.

I will give a try.

Re: SSL Decryption

gwesson — Tue, 12 Feb 2019 20:06:18 GMT

@SShnap wrote:

> I think they should release an application list update, which add working port 443 for web-browsing application.

> I also notice that once you decrypt traffic on 443-SSL it becomes 443-web-browsing, so policy rule that allow web-browsing on application-default will not work, because the application-default is 80.

> You need to create another policy to allow web-browsing application on 443 port.

I had to hold my tongue (well, fingers) because 9.0 hadn't been released yet, but now that it is available I can share this:

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/app-id-features/app-default-strict.html

Now, in PAN-OS 9.0, if an application has a known secure port like web-browsing, your app-based allow rule will work with application-default when decrypting. Currently the app list is web-browsing, SMTP, FTP, LDAP, POP3, and IMAP. Palo Alto Networks can update that list as well via a content update.

Re: SSL Decryption

DaniloBarbosa — Tue, 12 Feb 2019 21:28:46 GMT

@gwesson Do not hold your fingers. 🙂

Great news! Tks

Re: SSL Decryption

SShnap — Tue, 12 Feb 2019 21:45:56 GMT

@gwesson

PANOS 9.0 will be great with this and policy optimization.

thank you.

Re: SSL Decryption

aleksandar.astardzhiev — Wed, 13 Feb 2019 08:34:11 GMT

@DaniloBarbosa,

The web-browsing application is like last resort application. web-browsing will be used only if the firewall fail to match any other application, while the traffic contain HTTP protocol. See below:

Palo Alto firewall will match facebook application even if the traffic is not decrypted (in my personal limited observations), so I am guessing it is using the SNI from the server certificate. Without decryption the firewall will may fail to match the more specfic facebook apps, but it still will know that it is facebook related.

Same goes for google, dropbox, twitter and many more well known services that Palo Alto has create application for it.