topic Re: SSL decryption( Some traffic is not decrypted) in General Topics

SSL decryption( Some traffic is not decrypted)

Jafar_Hussain — Fri, 07 Feb 2020 19:46:28 GMT

Dear All,

I have applied SSL forward decryption in my Paloalto, then i observed some traffic are decrypted and some traffic not decrypt.

Example:- I have applied the decryption in social-networking (Facebook traffic is decrypted but Snapchat traffic is not decrypted,however, both are falling under the social-networking category.)

Why it's strange behaviour.

Re: SSL decryption( Some traffic is not decrypted)

OtakarKlier — Fri, 07 Feb 2020 20:39:38 GMT

Hello,

Unfortunately there is some traffic that cannot be decrypted or it will break the connection. Snapchat is one of these as it uses a pinned certificate.

To view the automatically bypassed domains, click the Device tab -> Certificate Management -> SSL Decryption Exclusion

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEzCAK

Hope that helps.

Re: SSL decryption( Some traffic is not decrypted)

Jafar_Hussain — Fri, 07 Feb 2020 20:53:50 GMT

@OtakarKlier

Ok, thanks for the information. it means all the URL/Application which are already in exclusion, will not decrypt?

Apart from this if any traffic is not decrypted so what is the issue?

Re: SSL decryption( Some traffic is not decrypted)

BPry — Fri, 07 Feb 2020 21:13:02 GMT

@Jafar_Hussain,

Correct; if the domain is listed in the SSL Decryption Exclusion list, the firewall is going to let that through without going through the decryption process so that it doesn't break anything.

@Jafar_Hussain wrote:
Apart from this if any traffic is not decrypted so what is the issue?

Can you provide one of the domains that you are running into an issue with that isn't covered by an exclusion? Keep in mind, depending on how you have things configured if the firewall detects that it isn't able to decrypt certain traffic without causing an issue, it will put that into a cache to skip decryption going forward so it doesn't continue to break the site for users.

Re: SSL decryption( Some traffic is not decrypted)

Jafar_Hussain — Fri, 07 Feb 2020 21:27:46 GMT

@BPry Thanks for the information.

I will keep is in observation. if i found something I will let you know.

Thanks once again.

Re: SSL decryption( Some traffic is not decrypted)

Jafar_Hussain — Mon, 10 Feb 2020 10:54:36 GMT

@BPry @OtakarKlier

I am facing a problem with the certificate(When I enabled the decryption and tried to open the website in Mozilla and internet explorer it is working as expected means it is taking the same self-sign certificate which I have generated).

However, when I tried to access the website in chrome, the browser is not accepting the certificate which is generated by FW. it is taking its own google certificate.

Can you help me with this?

Re: SSL decryption( Some traffic is not decrypted)

Jafar_Hussain — Mon, 10 Feb 2020 19:27:50 GMT

any one can give me reply........

Re: SSL decryption( Some traffic is not decrypted)

BPry — Mon, 10 Feb 2020 19:32:14 GMT

@Jafar_Hussain,

Can you post the actual website so we can actually take a look at it.

Re: SSL decryption( Some traffic is not decrypted)

Jafar_Hussain — Mon, 10 Feb 2020 19:39:48 GMT

@BPry

Example:- For testing, I have created a custom URL category only for (youtube+facebook+netflix). this is policy i mention in decryption rule with decrypt SSL forward proxy. and I have an import certificate already in my machine. when i try to open this URL in Mozilla and Internet explorer it is working as expected both browsers are taking a certificate which i have import however in chrome i can't see the same certificate this browser is taking its own google certificate why ?????

Re: SSL decryption( Some traffic is not decrypted)

Remo — Mon, 10 Feb 2020 19:43:08 GMT

How do these connecrions look in the traffic log? Could it be possible that they use port 443/udp?

Re: SSL decryption( Some traffic is not decrypted)

BPry — Mon, 10 Feb 2020 19:43:52 GMT

@Jafar_Hussain,

Right off the bat I would look at if you are allowing QUIC traffic when you are utilizing Chrome.

Re: SSL decryption( Some traffic is not decrypted)

Jafar_Hussain — Mon, 10 Feb 2020 19:55:01 GMT

@BPry I am not getting your point.

@Remo I can see in the traffic log when I open the chrome browser there is no decryption showing in traffic log however when I open in Mozilla traffic log showing as decrypted.

Re: SSL decryption( Some traffic is not decrypted)

BPry — Mon, 10 Feb 2020 20:00:15 GMT

@Jafar_Hussain,

Chrome will default to using the QUIC protocol, which to @Remo's point will come across on udp/443. Best practices would have you disallowing QUIC connections so that traffic is forced to fail-back to standard SSL/TLS connections over tcp/443. Then your decryption will actually work.

Re: SSL decryption( Some traffic is not decrypted)

Jafar_Hussain — Mon, 10 Feb 2020 20:04:57 GMT

@BPry @Remo

Thanks for your reply.

I will check tomorrow and let you know.

Re: SSL decryption( Some traffic is not decrypted)

Jafar_Hussain — Tue, 11 Feb 2020 06:52:03 GMT

@BPry @Remo

Thanks for your help and support.

Below is the task i have performed:-

I have disabled the QUIC protocol in the chrome browser then it is working as expected.

Problem:-

But i have large network in my environment, so i am not going through to disable the QUIC protocol in every system.

Solution:- I have gone through the below documents and deny the traffic of the QUIC application. now it is working as expected.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClarCAC

Re: SSL decryption( Some traffic is not decrypted)

Jafar_Hussain — Wed, 12 Feb 2020 15:41:38 GMT

@BPry @Remo

hello,

Now the problem is chrome is accepting the certificate, but I am not able some websites in the chrome browser.

Ex:- I have applied decryption only for youtube and NetFlix. but when I open Netflix it is working fine below is the screenshot for Netflix:-

But When I open youtube in chrome, getting the error. below is the screenshot.

I have changed certificates already with SHA 512 value but still issue persists.

Could you please help me with this.

Re: SSL decryption( Some traffic is not decrypted)

Jafar_Hussain — Wed, 12 Feb 2020 18:48:07 GMT

@BPry @Remo

Could you please update on this,

Re: SSL decryption( Some traffic is not decrypted)

Remo — Wed, 12 Feb 2020 20:30:18 GMT

@Jafar_Hussain

Neither @BPry nor me @BPry are working for Paloaltonetworks. We use our free time to try to help here in the community. So if you cannot wait more than 3 hours (as you asked again for an update here 3 hours after your post with the cert warnings) you should contact official paloalto support.

Anyway, which certificate did you change to SHA512? Was it really the CA cert used for decryption? What key size did you configure for the dynamically created certificates? Could you show a screenshot of the cert?

Re: SSL decryption( Some traffic is not decrypted)

Jafar_Hussain — Thu, 13 Feb 2020 05:20:14 GMT

@Remo

Sorry for this.

I have configured a new CA certificate with keysize- 2048 and sha 512.

Re: SSL decryption( Some traffic is not decrypted)

Remo — Thu, 13 Feb 2020 12:47:05 GMT

@Jafar_Hussain

and you did configure this new ca cert as "Forward Trust Certificate"?