https://live.paloaltonetworks.com/t5/general-topics/block-websites-when-using-vpn/m-p/253079#M71909 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="traffic.JPG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/19043iE449F75C706A4303/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="traffic.JPG" alt="traffic.JPG" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11943">@kiwi</a>&nbsp;,</P><P>&nbsp;</P><P>It says decrypted. The problem is that users need to use SoftEther VPN to access certain website. But using this VPN client can bypass all our security rule in place. May be we can find another way to access the website without using VPN.&nbsp;</P><P>&nbsp;</P><P>Thank you very much&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11943">@kiwi</a>&nbsp;</P> Mon, 11 Mar 2019 10:29:07 GMT nredaj 2019-03-11T10:29:07Z https://live.paloaltonetworks.com/t5/general-topics/block-websites-when-using-vpn/m-p/253057#M71902 <P><SPAN>Some users started to use SoftEther VPN client on our company which allows them to bypass URL Filtering policy. How can we allow them to use VPN client but still allow or block access to certain websites. We already implemented SSL decryption rule but it is not working when they are using SoftEther VPN.&nbsp;</SPAN></P> Mon, 11 Mar 2019 06:02:59 GMT https://live.paloaltonetworks.com/t5/general-topics/block-websites-when-using-vpn/m-p/253057#M71902 nredaj 2019-03-11T06:02:59Z https://live.paloaltonetworks.com/t5/general-topics/block-websites-when-using-vpn/m-p/253067#M71905 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/108474">@nredaj</a> ,</P> <P>&nbsp;</P> <P>Is decryption working ?</P> <P>How is the traffic identified by the firewall ?</P> <P>&nbsp;</P> <P>Cheers,</P> <P>-Kiwi.</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Mon, 11 Mar 2019 09:08:39 GMT https://live.paloaltonetworks.com/t5/general-topics/block-websites-when-using-vpn/m-p/253067#M71905 kiwi 2019-03-11T09:08:39Z https://live.paloaltonetworks.com/t5/general-topics/block-websites-when-using-vpn/m-p/253076#M71907 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11943">@kiwi</a>&nbsp;,</P><P>&nbsp;</P><P>Decyption is working. Based on monitoring logs, when using VPN client, all traffic are identied as:</P><P>&nbsp;</P><P>Application: SSL</P><P>IP Protocol: TCP</P><P>Port: 443</P><P>Category: computer-and-internet-info</P> Mon, 11 Mar 2019 09:56:30 GMT https://live.paloaltonetworks.com/t5/general-topics/block-websites-when-using-vpn/m-p/253076#M71907 nredaj 2019-03-11T09:56:30Z https://live.paloaltonetworks.com/t5/general-topics/block-websites-when-using-vpn/m-p/253077#M71908 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/108474">@nredaj</a> ,</P> <P>&nbsp;</P> <P>How is decryption working ?</P> <P>If the application is identified as SSL then decryption isn't working.</P> <P>&nbsp;</P> <P>Note that on some scenarios decryption is impossible ... <SPAN><SPAN style="text-align: justify;">for example when unsupported protocols or ciphers are used or with</SPAN></SPAN><SPAN><SPAN style="text-align: justify;"> certificate pinning for example.</SPAN></SPAN></P> <P>&nbsp;</P> <P>Cheers,</P> <P>-Kiwi.</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Mon, 11 Mar 2019 10:11:49 GMT https://live.paloaltonetworks.com/t5/general-topics/block-websites-when-using-vpn/m-p/253077#M71908 kiwi 2019-03-11T10:11:49Z https://live.paloaltonetworks.com/t5/general-topics/block-websites-when-using-vpn/m-p/253079#M71909 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="traffic.JPG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/19043iE449F75C706A4303/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="traffic.JPG" alt="traffic.JPG" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11943">@kiwi</a>&nbsp;,</P><P>&nbsp;</P><P>It says decrypted. The problem is that users need to use SoftEther VPN to access certain website. But using this VPN client can bypass all our security rule in place. May be we can find another way to access the website without using VPN.&nbsp;</P><P>&nbsp;</P><P>Thank you very much&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11943">@kiwi</a>&nbsp;</P> Mon, 11 Mar 2019 10:29:07 GMT https://live.paloaltonetworks.com/t5/general-topics/block-websites-when-using-vpn/m-p/253079#M71909 nredaj 2019-03-11T10:29:07Z https://live.paloaltonetworks.com/t5/general-topics/block-websites-when-using-vpn/m-p/253085#M71910 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/108474">@nredaj</a> ,</P> <P>&nbsp;</P> <P>You might be hitting this which could explain why a decrypted session is still showing up as SSL :</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cle8CAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cle8CAC</A></P> <P>&nbsp;</P> <P>Have you checked with support already ?</P> <P>&nbsp;</P> <P>Cheers !</P> <P>-Kiwi,</P> <P>&nbsp;</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Mon, 11 Mar 2019 10:49:47 GMT https://live.paloaltonetworks.com/t5/general-topics/block-websites-when-using-vpn/m-p/253085#M71910 kiwi 2019-03-11T10:49:47Z https://live.paloaltonetworks.com/t5/general-topics/block-websites-when-using-vpn/m-p/253114#M71921 <P>Hmm, I think the ssl decryption here will not be as helpful as usual.&nbsp;&nbsp; you will only decrypt the outer wrapper (the actual tunnel)&nbsp;any ssl packets running through the&nbsp;tunnel will not be decrypted as negotiation for these will have taken place end to end via the tunnel, not the palo.</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 11 Mar 2019 16:16:59 GMT https://live.paloaltonetworks.com/t5/general-topics/block-websites-when-using-vpn/m-p/253114#M71921 Mick_Ball 2019-03-11T16:16:59Z https://live.paloaltonetworks.com/t5/general-topics/block-websites-when-using-vpn/m-p/253118#M71924 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/108474">@nredaj</a>,</P><P>I would agree with&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9981">@Mick_Ball</a>&nbsp;in this case. Decrypting this traffic isn't going to give you much information and won't allow you to actually perform URL FIltering; this is actually the exact reason VPNs are recommended on untrusted networks, the network operator can't decrypt enough of the traffic to actually see anything useful.&nbsp;</P> Mon, 11 Mar 2019 18:23:29 GMT https://live.paloaltonetworks.com/t5/general-topics/block-websites-when-using-vpn/m-p/253118#M71924 BPry 2019-03-11T18:23:29Z https://live.paloaltonetworks.com/t5/general-topics/block-websites-when-using-vpn/m-p/253268#M71938 <P>I understand that this could be out of Palo Alto's FW scope.&nbsp;</P><P>&nbsp;</P><P>This is a bit frustrating. Configuring static route in client side (windows OS) could have solve this issue but the website they're accessing is going thru CDN which cause IP address to change from time to time. Probable solution may be work out with SoftEther VPN configuration.</P><P>&nbsp;</P><P>Thank you guys for all your inputs.</P> Tue, 12 Mar 2019 07:56:27 GMT https://live.paloaltonetworks.com/t5/general-topics/block-websites-when-using-vpn/m-p/253268#M71938 nredaj 2019-03-12T07:56:27Z