https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-and-post-message-in-pa-pcaps/m-p/334497#M84384 <P>Seems the PA did the content update and now we see that the threat signature is triggered and traffic is blocked under threat logs.</P><P>Earlier we were seeing that traffic is decrypted and not blocked under threat logs</P> Sun, 21 Jun 2020 16:32:08 GMT MP18 2020-06-21T16:32:08Z https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-and-post-message-in-pa-pcaps/m-p/323943#M82741 <P>We have configured the SSL inbound decryption.</P><P>When we do the PCAPS on the PA we do not see POST message on the re and tx pcaps.</P><P>&nbsp;</P><P>Need to know is this default behaviour?</P><P>On traffic logs we see decryption flag as checked.</P><P>Also from CLI i verify that PA is decrypting the traffic.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 21 Apr 2020 00:07:00 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-and-post-message-in-pa-pcaps/m-p/323943#M82741 MP18 2020-04-21T00:07:00Z https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-and-post-message-in-pa-pcaps/m-p/324066#M82763 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75039">@MP18</a>,</P><P>This is expected. If you want the post message you would need to enable the decryption port mirror license and verify that you can legally enable that feature in your location and your industry.&nbsp;</P><P>&nbsp;</P><P>From a CLI perspective the command&nbsp;<EM>show session all filter ssl-decrypt yes&nbsp;</EM>will display all the decrypted sessions across the firewall. You can filter this more to ensure that traffic is being actively decrypted where you expect it to be.&nbsp;</P> Tue, 21 Apr 2020 15:12:41 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-and-post-message-in-pa-pcaps/m-p/324066#M82763 BPry 2020-04-21T15:12:41Z https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-and-post-message-in-pa-pcaps/m-p/324092#M82765 <P>The issue is that we have cert with name like&nbsp; *.city.ca</P><P>and it has multiple sub domains like&nbsp;</P><P>maps.city.ca</P><P>All the urls with domain *.city.ca point to single IP address.</P><P>When i do the pcaps for the city.ca i see the post and get message on the fw pcaps.</P><P>When domain is maps.city.ca then i do not see the get and post info in pcaps of the fw.</P><P>&nbsp;</P><P>I also tested with creating custom url for maps.city.ca and then adding that to decryption rule same thing.</P> Tue, 21 Apr 2020 16:28:57 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-and-post-message-in-pa-pcaps/m-p/324092#M82765 MP18 2020-04-21T16:28:57Z https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-and-post-message-in-pa-pcaps/m-p/326053#M83114 <P>We open the TAC case as we were able to exploit the vulnerabiity even&nbsp; though PA ssl decrypt is enabled.</P><P>Yes you were spot on you can not see the get/post messages on the PCAP on firewall or debug ssl proxy.</P><P>&nbsp;</P><P>But PA should able to see the threat signature and block it when ssl decryption is enabled.</P> Tue, 05 May 2020 01:09:39 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-and-post-message-in-pa-pcaps/m-p/326053#M83114 MP18 2020-05-05T01:09:39Z https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-and-post-message-in-pa-pcaps/m-p/334497#M84384 <P>Seems the PA did the content update and now we see that the threat signature is triggered and traffic is blocked under threat logs.</P><P>Earlier we were seeing that traffic is decrypted and not blocked under threat logs</P> Sun, 21 Jun 2020 16:32:08 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-decryption-and-post-message-in-pa-pcaps/m-p/334497#M84384 MP18 2020-06-21T16:32:08Z