Disabling SSL Decryption not working

Reply
L1 Bithead

Disabling SSL Decryption not working

Hey everybody!

After watching all tutorials and reading all PAN's walkthroughts, I still fail to disable the SSL Inspection (decryption) on all of the outgoing (or any..) traffic.

 

This is my decryption profile:

Capture.PNG

Capture.PNG

*Rest tabs are default.

 

This is my Decryption Policy:

Capture.PNG

 

*My Security Policy is just any,any,allow (nothing special) and my traffic is never blocked - as I expect.

 

At this point, I expect every https request of any website to be not inspected. Meaning, now if I open up my Chrome and go to (lets say)  https://www.wikipedia.org/ and check the Security Overview (F12 -> Security) - I should see the 'real' Certificate of this website. Same result should apply to the alternative of using openssl command for requesting https websites instead of just browing via Browser Software like Chrome. (openssl s_client -connect wikipedia.org:443)

 

The issue:

While doing both of the described above, I still get the PAN's Certificate (*issued by PAN) where I try not to apply the decryption.

 

Capture:

Capture.PNG

using openssl:

Capture.PNG

 

 

I even explicitly excluded www.wikipedia.org and it did not help:

Capture.PNG

 

What am I missing? Yhelp :D

 

J.

 

Community Manager

Re: Disabling SSL Decryption not working

Hi @JohnSysAd

 

SSL decryption enables a proxy service, you can tell that proxy service to decrypt inbound or outbound, or not decrypt

But since your policy still matches a proxy rule, the session will still be handed off to the proxy: so if you don't want ssl decryption, don't create a decryption policy

If you want to bypass decryption on some url categories (finance may not be allowed by law depending on your sector for example) while stil ldecryption everything else, you can create a no-decrypt policy to not inspect those sessions

 

hope this helps


Help the community: Like helpful comments and mark solutions
Reaper out
L1 Bithead

Re: Disabling SSL Decryption not working

hey reaper and thanks for the reply.

 

First, your second suggestion (bypassing specific urls) did not work, i've tried it earlier. That was the reason I generally tried to bypass everything in order to troubleshoot the issue..

 

Second, I disabled all Decryption Policies and still getting decrypted for some reason.

 

Cap:

Capture.PNG

 

Capture.PNG

and ofcourse I can still see PAN's Certificate using the F12 on browser / openssl requests for connection on all websites.

 

In addition, I think I didn't quite understand what u were saying with the proxy service tunneling, and even so, I just did what you suggested.

 

Did I miss anything again? Do you have another idea?

Thanks again.

 

J.

Community Manager

Re: Disabling SSL Decryption not working

This may be a silly question, but did you commit your changes and clear all ssl sessions?

 

Disabling decryption does not immediately stop all decryption as it only applies to new sessions created after the commit went through, but old sessions will keep being decrypted until they end

 

it's perfectly possible for some sessions to remain that are being decrypted minutes or possibly hours (as tcp sessions could live up to 24 hours) after committing

 

bypassing some categories will not decrypt them, but they will still be handed off to the proxy as long as they match a rule in the decryption policy so you will still see the certificate, but the proxy service will simply not look inside

 

also, try closing your browser and opening the page fresh to esure the browser hasn't cached the certificate somehow


Help the community: Like helpful comments and mark solutions
Reaper out
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!