https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-and-carbonite/m-p/10149#M7448 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P><SPAN style="font-family: SabonLTStd-Roman;"></SPAN></P><P align="left">as you know, applications use various degrees of SSL.</P><P align="left">Some are not implemented to standards or use capabilities in the standards that are not compatible with Palo Alto Networks SSL decryption capability. In addition, SSL decryption cannot be used when servers require client certi<SPAN style="font-family: SabonLTStd-Roman;">fi</SPAN><SPAN style="font-family: SabonLTStd-Roman;">cates.</SPAN></P><P align="left">You have to avoid SSL decryption if:</P><P align="left"></P><P align="left"></P><P align="left"></P><P></P><P align="left"></P><P><SPAN style=": ; font-family: SabonLTStd-Roman; "></SPAN></P><P align="left">• Server requires client certi</P><P align="left"><SPAN style="font-family: SabonLTStd-Roman;">fi</SPAN><SPAN style="font-family: SabonLTStd-Roman;">cates</SPAN></P><P align="left">• Non-standard implementations of SSL used</P><SPAN style="font-family: SabonLTStd-Roman; "><P align="left">• New certi</P></SPAN><P></P><P align="left"><SPAN style="font-family: SabonLTStd-Roman;">fi</SPAN><SPAN style="font-family: SabonLTStd-Roman;">cate authorities can’t be added to the client application<SPAN style="font-family: SabonLTStd-Roman; "></SPAN></SPAN></P><P>• Client software requires speci</P><P></P><P><SPAN style="font-family: SabonLTStd-Roman;">fi</SPAN><SPAN style="font-family: SabonLTStd-Roman;">c server certi</SPAN><SPAN style="font-family: SabonLTStd-Roman;">fi</SPAN><SPAN style="font-family: SabonLTStd-Roman;">cates</SPAN></P><P></P><P>So, I suggest you to make an exception per Carbonite URLs or Dst IP Address/es.</P><P></P><P>Regards</P><P></P><P></P><P></P></BODY></HTML> Wed, 16 Mar 2011 13:47:47 GMT migration 2011-03-16T13:47:47Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-and-carbonite/m-p/10148#M7447 <HTML><HEAD></HEAD><BODY><P>SSL decryption seems to interfere with Carbonite.&nbsp; When the policy is enabled, the Carbonite client reports "waiting for connecton to carbonite pro backup server...".&nbsp; I assume I could add a rule to not touch anything in category "online-personal-storage", but I'd rather not just guess until I get it right.</P><P></P><P>Has anyone had the same experience?</P><P></P><P>Thanks,</P><P>Todd</P></BODY></HTML> Wed, 16 Mar 2011 13:32:09 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-and-carbonite/m-p/10148#M7447 tcjnole64 2011-03-16T13:32:09Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-and-carbonite/m-p/10149#M7448 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P><SPAN style="font-family: SabonLTStd-Roman;"></SPAN></P><P align="left">as you know, applications use various degrees of SSL.</P><P align="left">Some are not implemented to standards or use capabilities in the standards that are not compatible with Palo Alto Networks SSL decryption capability. In addition, SSL decryption cannot be used when servers require client certi<SPAN style="font-family: SabonLTStd-Roman;">fi</SPAN><SPAN style="font-family: SabonLTStd-Roman;">cates.</SPAN></P><P align="left">You have to avoid SSL decryption if:</P><P align="left"></P><P align="left"></P><P align="left"></P><P></P><P align="left"></P><P><SPAN style=": ; font-family: SabonLTStd-Roman; "></SPAN></P><P align="left">• Server requires client certi</P><P align="left"><SPAN style="font-family: SabonLTStd-Roman;">fi</SPAN><SPAN style="font-family: SabonLTStd-Roman;">cates</SPAN></P><P align="left">• Non-standard implementations of SSL used</P><SPAN style="font-family: SabonLTStd-Roman; "><P align="left">• New certi</P></SPAN><P></P><P align="left"><SPAN style="font-family: SabonLTStd-Roman;">fi</SPAN><SPAN style="font-family: SabonLTStd-Roman;">cate authorities can’t be added to the client application<SPAN style="font-family: SabonLTStd-Roman; "></SPAN></SPAN></P><P>• Client software requires speci</P><P></P><P><SPAN style="font-family: SabonLTStd-Roman;">fi</SPAN><SPAN style="font-family: SabonLTStd-Roman;">c server certi</SPAN><SPAN style="font-family: SabonLTStd-Roman;">fi</SPAN><SPAN style="font-family: SabonLTStd-Roman;">cates</SPAN></P><P></P><P>So, I suggest you to make an exception per Carbonite URLs or Dst IP Address/es.</P><P></P><P>Regards</P><P></P><P></P><P></P></BODY></HTML> Wed, 16 Mar 2011 13:47:47 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-and-carbonite/m-p/10149#M7448 migration 2011-03-16T13:47:47Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-and-carbonite/m-p/10150#M7449 <HTML><HEAD></HEAD><BODY><P>That will work.&nbsp; In case anyone stumbles onto this, I contacted Carbonite.&nbsp; The IP addresses to exclude are:</P><P></P><P>38.97.103.128/26</P><P>38.111.3.192/26</P><P>38.97.75.1/25</P></BODY></HTML> Wed, 16 Mar 2011 14:54:38 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-and-carbonite/m-p/10150#M7449 tcjnole64 2011-03-16T14:54:38Z