https://live.paloaltonetworks.com/t5/general-topics/osx-update-and-decryption/m-p/316980#M81475 <P>Hi,<SPAN class="UserName lia-user-name lia-user-rank-L7-Applicator lia-component-message-view-widget-author-username"><A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480" target="_self"><SPAN class="">BPry</SPAN></A></SPAN></P><P>&nbsp;</P><P><SPAN>&gt;Whitelist the following:</SPAN></P><P><SPAN>&gt;....</SPAN></P><DIV class="lia-message-author-with-avatar">&nbsp;</DIV><DIV class="lia-message-author-with-avatar"><SPAN class="UserName lia-user-name lia-user-rank-L7-Applicator lia-component-message-view-widget-author-username"><SPAN class="">Is this list actual?</SPAN></SPAN></DIV><DIV class="lia-message-author-with-avatar">&nbsp;</DIV><DIV class="lia-message-author-with-avatar">&nbsp;</DIV><DIV class="lia-message-author-with-avatar">&nbsp;</DIV><DIV class="lia-message-author-with-avatar"><SPAN class="UserName lia-user-name lia-user-rank-L7-Applicator lia-component-message-view-widget-author-username"><SPAN class="">&nbsp;You mean path "Device -&gt; Cert mgmt -&gt; SSL Decription Exclusion" and add&nbsp; all listed domains one by one?</SPAN></SPAN></DIV><DIV class="lia-message-author-with-avatar"><SPAN class="UserName lia-user-name lia-user-rank-L7-Applicator lia-component-message-view-widget-author-username"><SPAN class="">Or "Policies -&gt; Decryption -&gt; New rule" and add rule with custom URL category.</SPAN></SPAN></DIV><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Andrew</SPAN></P> Wed, 18 Mar 2020 08:18:13 GMT aaobuhov 2020-03-18T08:18:13Z https://live.paloaltonetworks.com/t5/general-topics/osx-update-and-decryption/m-p/287464#M76717 <P>I've installed our Root CA cert in the "System" keychain, and have it marked as trusted.&nbsp; I can successfully decrypt web traffic from a MAC running Mojave.&nbsp; No problems there.&nbsp;</P><P>&nbsp;</P><P>The problem comes in when I try updating the OSX or even check for updates from the CLI.&nbsp; &nbsp;</P><P>&nbsp;</P><P>When I run "softwareupdate -l"&nbsp; in terminal, In the logs on the firewall it appears to be coming through as web browsing app, and getting decrypted.&nbsp;&nbsp;</P><P>&nbsp;</P><P>I ran a packet capture, and it shows the client is resetting the connection after succesffuly going out to&nbsp;swscan.apple.com, which is not whitelisted for decryption exclusions.&nbsp; Has anyone run into issues when trying to decrypt on OSX with a trusted root cert, while trying to update the operating system itself?</P><P>&nbsp;</P><P>Guessing adding these domains to decryption exclusion is going to fix this?</P> Mon, 09 Sep 2019 20:27:35 GMT https://live.paloaltonetworks.com/t5/general-topics/osx-update-and-decryption/m-p/287464#M76717 Sec101 2019-09-09T20:27:35Z https://live.paloaltonetworks.com/t5/general-topics/osx-update-and-decryption/m-p/287498#M76718 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/59122">@Sec101</a>,</P><P>Whitelist the following:</P><UL><LI>gg.apple.com</LI><LI>gnf-mdn.apple.com</LI><LI>gnf-mr.apple.com</LI><LI>gs.apple.com</LI><LI>ig.apple.com</LI><LI>mesu.apple.com</LI><LI>skl.apple.com</LI><LI>swcdn.apple.com</LI><LI>swdist.apple.com</LI><LI>swdownload.apple.com</LI><LI>swpost.apple.com</LI><LI>swscan.apple.com</LI><LI>updates-http.cdn-apple.com</LI><LI>updates.cdn-apple.com</LI><LI>xp.apple.com</LI></UL><P>That should take care of the software updates and allow your clients to actually update successfully.&nbsp;</P> Tue, 10 Sep 2019 01:48:07 GMT https://live.paloaltonetworks.com/t5/general-topics/osx-update-and-decryption/m-p/287498#M76718 BPry 2019-09-10T01:48:07Z https://live.paloaltonetworks.com/t5/general-topics/osx-update-and-decryption/m-p/287644#M76727 <P>Perfect!&nbsp; As always, an excellent reply!&nbsp; Thank you.&nbsp; When you say whitelist- you mean exclude decryption right?</P> Tue, 10 Sep 2019 14:01:08 GMT https://live.paloaltonetworks.com/t5/general-topics/osx-update-and-decryption/m-p/287644#M76727 Sec101 2019-09-10T14:01:08Z https://live.paloaltonetworks.com/t5/general-topics/osx-update-and-decryption/m-p/287645#M76728 <P>Correct. Exclude those domains from decryption and your clients should be able to check for and download updates again.&nbsp;</P> Tue, 10 Sep 2019 14:04:37 GMT https://live.paloaltonetworks.com/t5/general-topics/osx-update-and-decryption/m-p/287645#M76728 BPry 2019-09-10T14:04:37Z https://live.paloaltonetworks.com/t5/general-topics/osx-update-and-decryption/m-p/316980#M81475 <P>Hi,<SPAN class="UserName lia-user-name lia-user-rank-L7-Applicator lia-component-message-view-widget-author-username"><A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480" target="_self"><SPAN class="">BPry</SPAN></A></SPAN></P><P>&nbsp;</P><P><SPAN>&gt;Whitelist the following:</SPAN></P><P><SPAN>&gt;....</SPAN></P><DIV class="lia-message-author-with-avatar">&nbsp;</DIV><DIV class="lia-message-author-with-avatar"><SPAN class="UserName lia-user-name lia-user-rank-L7-Applicator lia-component-message-view-widget-author-username"><SPAN class="">Is this list actual?</SPAN></SPAN></DIV><DIV class="lia-message-author-with-avatar">&nbsp;</DIV><DIV class="lia-message-author-with-avatar">&nbsp;</DIV><DIV class="lia-message-author-with-avatar">&nbsp;</DIV><DIV class="lia-message-author-with-avatar"><SPAN class="UserName lia-user-name lia-user-rank-L7-Applicator lia-component-message-view-widget-author-username"><SPAN class="">&nbsp;You mean path "Device -&gt; Cert mgmt -&gt; SSL Decription Exclusion" and add&nbsp; all listed domains one by one?</SPAN></SPAN></DIV><DIV class="lia-message-author-with-avatar"><SPAN class="UserName lia-user-name lia-user-rank-L7-Applicator lia-component-message-view-widget-author-username"><SPAN class="">Or "Policies -&gt; Decryption -&gt; New rule" and add rule with custom URL category.</SPAN></SPAN></DIV><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Andrew</SPAN></P> Wed, 18 Mar 2020 08:18:13 GMT https://live.paloaltonetworks.com/t5/general-topics/osx-update-and-decryption/m-p/316980#M81475 aaobuhov 2020-03-18T08:18:13Z https://live.paloaltonetworks.com/t5/general-topics/osx-update-and-decryption/m-p/317037#M81487 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/97840">@aaobuhov</a>,</P><P>That is the actual list yes. You can exclude these domains in either method, personally I like doing it in the decryption rulebase via a custom No-Decrypt URL category.&nbsp;</P> Wed, 18 Mar 2020 13:08:13 GMT https://live.paloaltonetworks.com/t5/general-topics/osx-update-and-decryption/m-p/317037#M81487 BPry 2020-03-18T13:08:13Z https://live.paloaltonetworks.com/t5/general-topics/osx-update-and-decryption/m-p/317040#M81488 <P>Thank you for reply&nbsp;</P><P>I prefer "<SPAN>No-Decrypt URL category" too.</SPAN></P><P>Can i summarize your list to:</P><P>*.apple.com</P><P>*.cdn-apple.com</P><P>&nbsp;</P><P>It will be a less strict list.<BR />Is such version possible?</P><P>&nbsp;</P><P>Andrew</P> Wed, 18 Mar 2020 13:17:06 GMT https://live.paloaltonetworks.com/t5/general-topics/osx-update-and-decryption/m-p/317040#M81488 aaobuhov 2020-03-18T13:17:06Z https://live.paloaltonetworks.com/t5/general-topics/osx-update-and-decryption/m-p/317041#M81489 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/97840">@aaobuhov</a>,</P><P>You could. As you said, it would be less restrictive and potentially allow additional traffic that you otherwise could have decrypted and gained insight into.&nbsp;</P> Wed, 18 Mar 2020 13:20:18 GMT https://live.paloaltonetworks.com/t5/general-topics/osx-update-and-decryption/m-p/317041#M81489 BPry 2020-03-18T13:20:18Z https://live.paloaltonetworks.com/t5/general-topics/osx-update-and-decryption/m-p/317043#M81490 <P>Thank you, I understand.</P><P>&nbsp;</P><P>Best wishes,<BR />Andrew</P> Wed, 18 Mar 2020 13:30:03 GMT https://live.paloaltonetworks.com/t5/general-topics/osx-update-and-decryption/m-p/317043#M81490 aaobuhov 2020-03-18T13:30:03Z