what is the current "state" with PAN firewalls when it comes to decrypting Dropbox traffic? I found a lot of threads on the forum, some with contradicting information. It was said that Dropbox was put on an internal ssl-exclude list so the firewall wouldn't decrypt it, in a later post it was said it has been removed from the list again. Generally, the information is quite old. In yet another post it was suggested to put *.dropbox.com into the ssl-exclude list manually. Confusing....
I tried decrypting Dropbox but I failed. The Dropbox client reports it is unable to establish a secure connection, so I figure there are still issues? What is the current situation? Can Dropbox be decrypted? If not, what is the proposed way of excluding it (custom URL category with *.dropbox.com? put *.dropbox.com in the ssl-exclude-cert list?)?
There is a command (which I forgot) you can run in the CLI to see the current exclude list.
Regarding dropbox the dropbox client can be decrypted HOWEVER it seems that dropbox is using preloaded certificates (similar to windowsupdate) which gives that it will refuse to work when decrypted on the road (because the cert which is being sent to the client is not the real dropbox cert but the PA cert used for decryption).
The decryption on the other hand works if using a webbrowser to reach your dropbox account.
In order to make the dropbox client to work you must exclude the dropbox cert from being terminated. The downside of this is of course that the files up/downloaded to/from dropbox wont be inspected by the PA antivirus engine (nor the filetype engine etc or logged for that matter).
It would be great if the dropbox client could accept the CA list available for the client (or for that matter manually include the CA as a trusted CA you use for decryption) - what does Dropbox say when you contact them regarding this issue?
Command need to verify if the cert have been excluded:
show system setting ssl-decrypt exclude-cache
Refer to this docs can help :-) =>https://live.paloaltonetworks.com/docs/DOC-1423
Thanks guys. However, my questions remain. If Dropbox client can not be decrypted, what is the proper way of excluding it? See my opening post. It used to be on the internal exclude-list but that doesn't seem to be true anymore. Why was it removed? How do you exclude it properly?
First of all, is it just the dropbox client you want to bypass or anything that has to do with dropbox?
Because if its the later then you can do this exclude in the GUI where you setup the decrypt rules (dont ssl terminate for *.dropbox.com). Also look in the logs if dropbox is using some other domains today.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!