Inbound SSL Decryption and monitoring

Highlighted
Not applicable

Inbound SSL Decryption and monitoring

Hello,

I'm trying to setup inbound SSL decryption. It is a pretty basic setup.  Two layer 3 interfaces on a PA-500.  One interface is in an 'Outside' zone, the other is in a 'DMZ' zone. In the DMZ zone is a web server with a signed SSL certificate.  The PA is NATing the server in the DMZ to the appropriate address space Outside.

I have imported the web server's SSL certificate and private key (looks ok...the PA decrypted the key and displays the correct expiration date on the Device->Certificates page).

I have an appropriate Decryption policy matching the correct source and destination zones.

Typically: when looking at the log details (or from the CLI: 'show session all filter ssl-decrypt yes') there is nothing being decrypted

However: yesterday, when trouble shooting this with tech support, the log detail page had the 'Decrypted' box checked and the CLI command was showing one encrypted session.

But - in either case, when running very loud and obvious scans, no alert traffic is ever triggered. I can fill the web log up with directory traversal attempts, /etc/passwd, etc. and the attacks never show up in the Threat Log.  When the same attacks are launched against the same server on port 80, the Threat log lights up appropriately.

I'm using SSL 3.0 - am I trying to do the impossible?  I'm trying to decrypt inbound HTTPS traffic, scan it for attacks and either pass or block it according to policy.  So far no luck.

Any help would be appreciated and thank you in advance.

Cheers,

Tim

Tags (3)
L2 Linker

Re: Inbound SSL Decryption and monitoring

For the CLI issue, have support look at bug #38936.

-Scott

L0 Member

Re: Inbound SSL Decryption and monitoring

Did you get anywhere on this. I am having similar issues.

L4 Transporter

Re: Inbound SSL Decryption and monitoring

Hi Tim

Could you check to see if the certificate has been placed in the exclude cache?  Run the following CLI command:

show system setting ssl-decrypt exclude-cache

If the certificate is there it is likely because the SSL version or cipher suite being used is not supported for decryption. You can try to remove the certificate from the cache with the CLI command:

debug dataplane reset ssl-decrypt exclude-cache

If you test again and the certificate is placed back in the exclude cache then support will likely have to investigate the reason for the decryption failing.  In that case you will want to open a case and we can investigate further.

Thanks,

-- Kevin

L4 Transporter

Re: Inbound SSL Decryption and monitoring

I am finding that for inbound SSL decryption, it seems that sessions aren't being decrypted if the App-ID 'ssl' is matching. If the App-ID 'web-browsing' happens to match, the session is decrypted.

I dunno if that helps you or not, but it's a pattern I just noticed on my inbound SSL decryption setup that I have.    

L4 Transporter

Re: Inbound SSL Decryption and monitoring

You are probably seeing those ssl decrypted sessions that NOW show up as web browsing. If you were to do a show session id <session #>, you'd probably see that the port used was 443 and the application was web browsing, implying that the ssl session was decrypted to expose the application that is web browsing

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!