I have question with SSL decryption.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

I have question with SSL decryption.

L0 Member

Hi there.

Few days ago, I 'd changed one of my client's F/W .

Everything was okay but decryption wasn't working.

After few times, I found out what problem was causing that issues.
(added decryption profile and changed policies (service: application-default -> any)
But I don't know why do I have to add profile and changed service. So Please let me know why it has to.

 

there is information :

 

Before :
Model : 3050
Version : 7.1.7
mode: VW
HA(A-A)

 

After :
Model : 3260
Version : 8.1.7
mode : L3
HA : A-P

 

Thank you.

2 REPLIES 2

Cyber Elite
Cyber Elite

Hello,

Was decryption working prior to the HA change? If not then the policies are incorrect because of decryption.

 

I.E. the firewall will detect ssl over tcp/443 then decrypt it, the traffic is then reinspected and is determined to be web-browsing over tcp/443 instead of tcp/80 so it breaks unless you allow web-browsing over tcp/443.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC

 

 

 

Heop that helps.

I think I may see/understand your situation. 

Prior to 9.x software, the PANOS software did not include secured ports in its AppID.

 

Example

When SSL:443 traffic is decrypted, the application becomes web-browsing:443 (port does not change)

 

because 443 is not app-default for web-browsing, then it is not longer a match.

If policy was app-default then you would need to change web-browsing to allow 80, 8080, and 443, or change to service any.

 

maybe this is your issue?

 

Help the community: Like helpful comments and mark solutions
  • 2269 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!