https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-and-reddit-posting/m-p/382926#M89895 <P>Last year I implemented a rule to allow users in my company access to the reddit.com site. It is in our company policy to disallow sharing messages on social media, so I implemented this rule with URL filtering (chat/messages/etc...) <STRONG>and</STRONG> only allowing the appid "reddit-base", not "reddit-posting". This worked at the time, and has stopped functioning properly some time in the past year.</P><P>&nbsp;</P><P>Now, users are still limited from messaging/chat/etc... but <EM>can</EM> post comments and new threads on the site.</P><P>&nbsp;</P><P>This relates to SSL decryption as I was digging down the rabbit-hole and think that the "reddit-posting" appid has switched over to "web-browsing". I was wondering :</P><P>1. If I implement SSL decryption on reddit, will it pick up the "reddit-posting" appid again?</P><P>2. Why do I no longer see "reddit-posting" in my logs?</P><P>3. What can SSL decryption do--or can't do--to help me solve this issue?</P><P>4. Is this a more-so a question about how PA identifies appids for reddit?</P> Fri, 29 Jan 2021 18:19:00 GMT nreynders 2021-01-29T18:19:00Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-and-reddit-posting/m-p/382926#M89895 <P>Last year I implemented a rule to allow users in my company access to the reddit.com site. It is in our company policy to disallow sharing messages on social media, so I implemented this rule with URL filtering (chat/messages/etc...) <STRONG>and</STRONG> only allowing the appid "reddit-base", not "reddit-posting". This worked at the time, and has stopped functioning properly some time in the past year.</P><P>&nbsp;</P><P>Now, users are still limited from messaging/chat/etc... but <EM>can</EM> post comments and new threads on the site.</P><P>&nbsp;</P><P>This relates to SSL decryption as I was digging down the rabbit-hole and think that the "reddit-posting" appid has switched over to "web-browsing". I was wondering :</P><P>1. If I implement SSL decryption on reddit, will it pick up the "reddit-posting" appid again?</P><P>2. Why do I no longer see "reddit-posting" in my logs?</P><P>3. What can SSL decryption do--or can't do--to help me solve this issue?</P><P>4. Is this a more-so a question about how PA identifies appids for reddit?</P> Fri, 29 Jan 2021 18:19:00 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-and-reddit-posting/m-p/382926#M89895 nreynders 2021-01-29T18:19:00Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-and-reddit-posting/m-p/382981#M89897 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/158125">@nreynders</a>&nbsp;wrote:<BR /> <P>Last year I implemented a rule to allow users in my company access to the reddit.com site. It is in our company policy to disallow sharing messages on social media, so I implemented this rule with URL filtering (chat/messages/etc...) <STRONG>and</STRONG> only allowing the appid "reddit-base", not "reddit-posting". This worked at the time, and has stopped functioning properly some time in the past year.</P> <P>&nbsp;</P> <P>Now, users are still limited from messaging/chat/etc... but <EM>can</EM> post comments and new threads on the site.</P> <P>&nbsp;</P> <P>This relates to SSL decryption as I was digging down the rabbit-hole and think that the "reddit-posting" appid has switched over to "web-browsing". I was wondering :</P> <P>1. If I implement SSL decryption on reddit, will it pick up the "reddit-posting" appid again?</P> <P>2. Why do I no longer see "reddit-posting" in my logs?</P> <P>3. What can SSL decryption do--or can't do--to help me solve this issue?</P> <P>4. Is this a more-so a question about how PA identifies appids for reddit?</P> <HR /></BLOCKQUOTE> <P>&nbsp;</P> <P>When you built the policy last year and it worked with the proper APP-ID being identified had SSL decryption been configured?&nbsp; In general the answer is always going to be, yes, to ensure proper application of policy and identify traffic as the right APP-ID SSL decryption will always be looked at needing to be deployed.&nbsp; SSL decryption breaks open the SSL/TLS packets exposing the encrypted payload.&nbsp; APP-ID is going to be based on being able to properly see a packets contents/payload.&nbsp; So if the packet is encrypted there's certainly going to be a limitation of Palo's ability to apply the correct application to traffic traversing the firewall.&nbsp;</P> Fri, 29 Jan 2021 21:39:57 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-and-reddit-posting/m-p/382981#M89897 Brandon_Wertz 2021-01-29T21:39:57Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-and-reddit-posting/m-p/420117#M93848 <P class="_1qeIAgB0cPwnLhDF9XSiJM">Did you add a ssl profile to the decryption rules as well? If so, check which ciphers you've selected as being ok, because this can be a cause of the Palo dropping the SSL connection.</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">Also if you are using Chrome, make sure you either disable the Quic protocol or block it on the Palo. Quic is Https over UDP, which the Palo can't decrypt. This only affects chrome though, so also check with IE to see if the same issues occur.</P> Sat, 17 Jul 2021 06:10:03 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-and-reddit-posting/m-p/420117#M93848 brianpauler 2021-07-17T06:10:03Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-and-reddit-posting/m-p/442221#M100079 <P>As an update, we've implemented full SSL decryption since my original post for users, and now the issue persists by having&nbsp;<EM>all</EM> reddit related web traffic come through as "reddit-base". Previously--when first implemented--"reddit-posting" app-id would appear and function normally. By excluding this from our allow rule we could prevent users from messaging, signing in, commenting, etc... seems to not be the case anymore.</P><P>&nbsp;</P><P>I opened a case with PA and they let me know this is a known issue being tracked as bug id&nbsp;<SPAN>CON-50447 but I don't have much more information than that. They are able to reproduce on their end, so hopefully some additional visibility will help.</SPAN></P> Wed, 20 Oct 2021 14:21:56 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-and-reddit-posting/m-p/442221#M100079 nreynders 2021-10-20T14:21:56Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-and-reddit-posting/m-p/442222#M100080 <P>Thanks for the additional info here! I have noticed Quic protocol coming through, but I can also replicate the issue on IE and Firefox.</P><P>&nbsp;</P><P>We implemented SSL decryption for our users since the time of my first post, now all reddit related traffic comes through as "reddit-base", still no reddit-posting. PA verified that they can replicate the bug on their end, said they are looking into it with&nbsp;<SPAN>CON-50447.</SPAN></P> Wed, 20 Oct 2021 14:25:08 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-and-reddit-posting/m-p/442222#M100080 nreynders 2021-10-20T14:25:08Z