I am having issues with SSL decryption for office365 . In specific this is related to Azure API and SOAP protocol .
Traffic to azure cloud via soap to the following URL "roaming.officeapps.live.com/rs/RoamingSoapService.svc" is keep getting "decrypt-error" .
Trying to bypass and adding the site to the exclude list , and/or adding it to a url profile that bypass decryption does not seems to work as decryption still occure .
** Decryption is a must as i need to control to which offcice365 domain we allow access, for which we use cusom app as demonstrated in this KB : https://live.paloaltonetworks.com/t5/Management-Articles/FAQ-Office-365-Access-Control/ta-p/94949 **
Have anyone sucssfuly managed SSL decryption with office 365 SOAP Azure API ?
Is this only on this app-id or do you see the same error elsewhere. From your screenshots it looks like you could be running 8.0.*. Are you potentially running into the following bug fixed in the 8.0.3 release?
Fixed an issue on PA-3000 Series firewalls where SSL sessions failed due to memory depletion in the proxy memory pool; Traffic logs displayed the reason decrypt-error .
Not the bug I was thinking it could be; is this all SOAP sessions or just the Office 365 sessions that are giving you the decrypt-error log?
The issue persist only with soap .
I was able to identify that this is related to a very specific connection to office 365 .
Office client only | Logged on user
184.108.40.206/32 220.127.116.11/32 18.104.22.168/32 22.214.171.124/32 126.96.36.199/32 188.8.131.52/32 184.108.40.206/32 220.127.116.11/32 18.104.22.168/32
TCP 80 & 443
I am also working with support for this issue however at the moment they cannot figure out why there is a decryption error.
At the moment i have bypassed ssl decryption for the following FQDN objects above.
Althought this resolve the issue i do want to unwrap the payload.
Addtionlay i was able to locate this document from microsoft .
When SSL decryption is on and the soap connection get broken some office application just crush on startup .
The following reg changes resolve that however the soap decryption issue on the firewall remains.
I think PAN need to do better work to document and create a full and holistic guide for office 365 deployments.
Current guides are short and does not include A to Z instruction or all the details.
The issue with O365 deployment guides of any type on NGFW from any company is how often they would need to be updated. You have Microsoft constantly making changes, Palo constantly updating things, and multiple different versions of Office software being used to function outside of O365 that you would need to cover. Not trying to make excuses for it really, but the amount of time that keeping any documentation up-to-date is insane, that's why I just linked an article that was from the 3.0 era a few days ago for another issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!