After watching all tutorials and reading all PAN's walkthroughts, I still fail to disable the SSL Inspection (decryption) on all of the outgoing (or any..) traffic.
This is my decryption profile:
*Rest tabs are default.
This is my Decryption Policy:
*My Security Policy is just any,any,allow (nothing special) and my traffic is never blocked - as I expect.
At this point, I expect every https request of any website to be not inspected. Meaning, now if I open up my Chrome and go to (lets say) https://www.wikipedia.org/ and check the Security Overview (F12 -> Security) - I should see the 'real' Certificate of this website. Same result should apply to the alternative of using openssl command for requesting https websites instead of just browing via Browser Software like Chrome. (openssl s_client -connect wikipedia.org:443)
While doing both of the described above, I still get the PAN's Certificate (*issued by PAN) where I try not to apply the decryption.
I even explicitly excluded www.wikipedia.org and it did not help:
What am I missing? Yhelp :D
Solved! Go to Solution.
SSL decryption enables a proxy service, you can tell that proxy service to decrypt inbound or outbound, or not decrypt
But since your policy still matches a proxy rule, the session will still be handed off to the proxy: so if you don't want ssl decryption, don't create a decryption policy
If you want to bypass decryption on some url categories (finance may not be allowed by law depending on your sector for example) while stil ldecryption everything else, you can create a no-decrypt policy to not inspect those sessions
hope this helps
hey reaper and thanks for the reply.
First, your second suggestion (bypassing specific urls) did not work, i've tried it earlier. That was the reason I generally tried to bypass everything in order to troubleshoot the issue..
Second, I disabled all Decryption Policies and still getting decrypted for some reason.
and ofcourse I can still see PAN's Certificate using the F12 on browser / openssl requests for connection on all websites.
In addition, I think I didn't quite understand what u were saying with the proxy service tunneling, and even so, I just did what you suggested.
Did I miss anything again? Do you have another idea?
This may be a silly question, but did you commit your changes and clear all ssl sessions?
Disabling decryption does not immediately stop all decryption as it only applies to new sessions created after the commit went through, but old sessions will keep being decrypted until they end
it's perfectly possible for some sessions to remain that are being decrypted minutes or possibly hours (as tcp sessions could live up to 24 hours) after committing
bypassing some categories will not decrypt them, but they will still be handed off to the proxy as long as they match a rule in the decryption policy so you will still see the certificate, but the proxy service will simply not look inside
also, try closing your browser and opening the page fresh to esure the browser hasn't cached the certificate somehow
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!