topic Re: I have question with SSL decryption. in General Topics

I have question with SSL decryption.

ninecross — Wed, 19 Jun 2019 06:06:56 GMT

Hi there.

Few days ago, I 'd changed one of my client's F/W .

Everything was okay but decryption wasn't working.

After few times, I found out what problem was causing that issues.
(added decryption profile and changed policies (service: application-default -> any)
But I don't know why do I have to add profile and changed service. So Please let me know why it has to.

there is information :

Before :
Model : 3050
Version : 7.1.7
mode: VW
HA(A-A)

After :
Model : 3260
Version : 8.1.7
mode : L3
HA : A-P

Thank you.

Re: I have question with SSL decryption.

OtakarKlier — Wed, 19 Jun 2019 14:35:09 GMT

Hello,

Was decryption working prior to the HA change? If not then the policies are incorrect because of decryption.

I.E. the firewall will detect ssl over tcp/443 then decrypt it, the traffic is then reinspected and is determined to be web-browsing over tcp/443 instead of tcp/80 so it breaks unless you allow web-browsing over tcp/443.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC

Heop that helps.

Re: I have question with SSL decryption.

S.Cantwell — Thu, 20 Jun 2019 21:30:23 GMT

I think I may see/understand your situation.

Prior to 9.x software, the PANOS software did not include secured ports in its AppID.

Example

When SSL:443 traffic is decrypted, the application becomes web-browsing:443 (port does not change)

because 443 is not app-default for web-browsing, then it is not longer a match.

If policy was app-default then you would need to change web-browsing to allow 80, 8080, and 443, or change to service any.

maybe this is your issue?