Configuration Articles

Featured Article
Domains There are a number of Domains/SSL Certificates that are excluded from SSL Decryption.    Starting with PAN-OS 8.0 and newer, the SSL exclusion is handled inside of the Certificates section of the WebUI.  To see the full list of domains/SSL certificates that are excluded from SSL Dectyption, Inside of the WebGUI > Device > Certificate Management > SSL Decryption Exclusion.   The domains selected with the "Exclude from decryption" in this location will not be decrypted by the Palo Alto Networks device. This list of domains are added the SSL Decryption Exclusion list in each Content load so that the SSL engine will allow them to pass through, rather than trying to decrypt them.   Applications In PAN-OS 7.1 and older, applications were used instead of domains.   These applications are added to an exclude list in each Content load so that the SSL engine will allow them to pass through, rather than trying to decrypt them. # Application 1 adobe-echosign 2 aerofs 3 aim 4 airdroid 5 amazon-aws-console 6 anydesk 7 appguru 8 apple-game-center 9 apple-push-notifications 10 asana 11 authentic8-silo 12 bluejeans 13 cryptocat 14 daum-mypeople 15 discord 16 dnf 17 efolder 18 evault 19 filesanywhere 20 finch 21 google-plus-posting 22 gotoassist 23 gotomeeting 24 gotomypc 25 hbo 26 hp-virtual-rooms 27 icloud 28 informatica-cloud 29 itunes 30 itunes-appstore 31 itunes-mediastore 32 itwin 33 jungledisk 34 kakaotalk 35 kakaotalk-audio-chat 36 kakaotalk-file-transfer 37 lantern 38 linkedin 39 live-mesh 40 logentries 41 logmein 42 logmeinrescue 43 meerkat 44 megachat 45 metatrader 46 minecraft 47 ms-lync-online 48 ms-product-activation 49 ms-spynet 50 ms-update 51 naver-line 52 norton-zone 53 ntr-support 54 odrive 55 office-on-demand 56 okta 57 onepagecrm 58 onlive 59 opera-vpn 60 packetix-vpn 61 paloalto-wildfire-cloud 62 pando 63 pathview 64 periscope 65 proofhq 66 puffin 67 rift 68 second-life 69 signal 70 silent-circle 71 simplify 72 sophos-rms 73 springcm 74 sugarsync 75 telex 76 tigertext 77 ubuntu-one 78 ultrasurf 79 vagrant 80 via3 81 vmware-view 82 vudu 83 wallcooler-vpn 84 webroot-secureanywhere 85 wetransfer 86 whatsapp 87 winamax 88 wiredrive 89 yunpan360-file-transfer 90 yuuguu 91 zoom 92 zumodrive
View full article
nrice ‎07-27-2018 03:49 PM
277,841 Views
76 Replies
3 Likes
The following list of supported ciphers for PAN-OS 7.1 include ciphers for FIPS and non-FIPS mode with supported curvesa and limitations.
View full article
‎10-05-2017 10:56 PM
43,566 Views
10 Replies
7 Likes
Question In the Decryption Profile, there is an option to choose "Block sessions if resources not available" for SSL Forward Proxy and SSL Inbound inspection. What do we mean if resources are not available?       Answer Block sessions if resources not available will kick in when the: Maximum number of decrypted sessions has been reached Client Hello references the SSL session ID, which we do not have in the firewall cache anymore Decrypt packet buffers are depleted  Dataplane resources utilization is not monitored with this configuration.
View full article
rtalipov ‎10-03-2016 02:34 PM
3,816 Views
0 Replies
5 Likes
Problem SSL Decrypt is configured for all Google Services. But when using the Chrome browser to launch any services provided by Google, the decryption doesn't work. When we check the session details, we can see the traffic being identified as quic.   Cause Google uses experimental quic protocol to provide a faster SSL user experience. quic works over udp/80 and udp/443. Since this is not a standard TLS/SSL traffic, we cannot decrypt the traffic.   Solution We need to fall back to TLS/SSL to get the decryption working. Options available: Disable quic on the Chrome browser. To do this, open a new tab in Chrome and type chrome://flags in the title bar. Go to Experimental QUIC protocol. Change to Disabled. Default action is Enabled. Restart the browser. Deny quic in the firewall using a security policy. Deny udp/80 and udp/443 traffic using a security policy. Note: When quic is disabled, the Chrome browser falls back to traditional TLS/SSL.
View full article
pbalasunda ‎10-19-2015 03:21 PM
13,647 Views
4 Replies
Issue After configuring SSL decryption Mozilla Firefox shows certificate error: Error: (Error code: sec_error_untrusted_issuer) See the image below for an example of this error message: Cause This occurs because Mozilla Firefox uses different certificate repositories than other browsers such as Internet Explorer (IE) and Google Chrome. Resolution To resolve the certificate error, import the root certificate used for the SSL decryption to the following location: Mozilla > Options > View Certificates > Authorities and click on Import. This will import the root certificate used for the SSL decryption, as shown below: Once the certificate has been imported verify the 'Edit trust settings'. Make sure the following options have been selected: Go to Options > Advanced > Certificates > View Certificates and select the certificate that was imported and select 'Edit Trust'. In the example below, the certificate selected is 172.16.105.1: owner: hshah
View full article
hshah ‎07-21-2014 06:05 AM
23,520 Views
4 Replies
1 Like
Ask Questions Get Answers Join the Live Community