Enabling SSO on Aperture requires information from your IDP. The following section provides details on how to add Aperture as an Application on your IDP and then using information from your IDP to configure SSO on Aperture. Okta is used as IDP.
There are a number of Domains/SSL Certificates that are excluded from SSL Decryption.
Starting with PAN-OS 8.0 and newer, the SSL exclusion is handled inside of the Certificates section of the WebUI.
To see the full list of domains/SSL certificates that are excluded from SSL Dectyption, Inside of the WebGUI > Device > Certificate Management > SSL Decryption Exclusion.
The domains selected with the "Exclude from decryption" in this location will not be decrypted by the Palo Alto Networks device.
This list of domains are added the SSL Decryption Exclusion list in each Content load so that the SSL engine will allow them to pass through, rather than trying to decrypt them.
In PAN-OS 7.1 and older, applications were used instead of domains.
These applications are added to an exclude list in each Content load so that the SSL engine will allow them to pass through, rather than trying to decrypt them.
Question In the Decryption Profile, there is an option to choose "Block sessions if resources not available" for SSL Forward Proxy and SSL Inbound inspection. What do we mean if resources are not available?
Answer Block sessions if resources not available will kick in when the:
Maximum number of decrypted sessions has been reached
Client Hello references the SSL session ID, which we do not have in the firewall cache anymore
Decrypt packet buffers are depleted
Dataplane resources utilization is not monitored with this configuration.
SSL Decrypt is configured for all Google Services. But when using the Chrome browser to launch any services provided by Google, the decryption doesn't work. When we check the session details, we can see the traffic being identified as quic.
Google uses experimental quic protocol to provide a faster SSL user experience. quic works over udp/80 and udp/443. Since this is not a standard TLS/SSL traffic, we cannot decrypt the traffic.
We need to fall back to TLS/SSL to get the decryption working. Options available:
Disable quic on the Chrome browser. To do this, open a new tab in Chrome and type chrome://flags in the title bar. Go to Experimental QUIC protocol. Change to Disabled. Default action is Enabled. Restart the browser.
Deny quic in the firewall using a security policy.
Deny udp/80 and udp/443 traffic using a security policy.
Note: When quic is disabled, the Chrome browser falls back to traditional TLS/SSL.
Issue After configuring SSL decryption Mozilla Firefox shows certificate error: Error: (Error code: sec_error_untrusted_issuer) See the image below for an example of this error message: Cause This occurs because Mozilla Firefox uses different certificate repositories than other browsers such as Internet Explorer (IE) and Google Chrome. Resolution To resolve the certificate error, import the root certificate used for the SSL decryption to the following location: Mozilla > Options > View Certificates > Authorities and click on Import. This will import the root certificate used for the SSL decryption, as shown below: Once the certificate has been imported verify the 'Edit trust settings'. Make sure the following options have been selected: Go to Options > Advanced > Certificates > View Certificates and select the certificate that was imported and select 'Edit Trust'. In the example below, the certificate selected is 172.16.105.1: owner: hshah