07-12-2017 04:22 AM
Hi
At the moment what is most annoying is the blocking external emails, for example, Gmail, depending on which browser you open appears as "gmail", as "ssl" or as quic. We have configured a block list for that, the problem is that users are starting to place them in the mail clients of W10 and Outlook, and we return to the same, Palo Alto sees it as SSL and there is no way to get it. This is one of the many examples and battles we have day by day, Hotmail one day is Hotmail and another day is SSL, yahoo likewise, many pages and google services,,,,. I wanted to know that it is the recommendation for this.
Regards,
07-12-2017 06:01 AM
First you want to block quic, this is a google experimental encryption supported by chrome only.
Next, you'll want to enable SSL decryption as this will allow you to look inside encrypted traffic and identify the application being used. Google is specifically difficult to tackle with out decryption as they use a wildcard certificate for most of their applications (*.google.com)
without decryption we try to identify the application by looking at the certificate or SNI, if neither returns something meaningfull we need to default to 'ssl'
07-12-2017 06:25 AM
I know what you mean. But here is any option to prevent all these application changes????
07-12-2017 06:46 AM
There really isn't a fix for it outside of SSL decryption. I know how annoying it can be if you don't have the ability to enable SSL decryption on said environment, but that truly is the only fix for this.
Application Override policy is always an option if you simply want to keep the application being identified the same. However from a security perspective this is a terrible idea and it really isn't a solution. This would essentially stop identification at layer-4 and it has a ton of consequences that really don't fit well into a security platform. Administration would also be a pain seeing as you would need to find what IPs actually allocate to what service which I'm pretty sure isn't static on Google's end. SSL decryption is really the only real way to fix this.
07-12-2017 06:49 AM
That's actually the strength of a NextGeneration Firewall 😉
The appliaction changes allow you to properly identify which application is being used, which can only happen by identifying each step of the way (tcp to port 443 becomes ssl as soon as you have a handshake and can become a specific application as soon as more information is learned from the packets flowing back and forth in the flow)
these steps happen with every packet in the tcp session: in the initial tcp handshake, we cannot for certain know what something is. if in the first payload packet (packet #4 usually) we see a handshake SNI for www.facebook.com, we can pretty much assume it is facebook. if we do not decrypt however all we see from that point is encrypted and could be, for example, farmville. if we do decrypt we will keep looking and change the app again to match more closely to the real appliaction being used
for google services this is very tricky as they have their own way of doing things: chrome tries to use quic, SNI is not always available and they hide their apps behind a wildcard certificate, hence decryption is important
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
