SSL Decryption Whitelisting

Reply
L2 Linker

SSL Decryption Whitelisting

So, I have just implemented SSL Decryption in our environment and we hit a website that appears to not work properly because of it. (It's sap.com, click on the login link in the upper right.) We don't see any errors in the firewall but the login prompt doesn't come up for us.

The question is, is there any way for me to whitelist *.sap.com from SSL Decryption?

L4 Transporter

Re: SSL Decryption Whitelisting

Hello Bgranholm,

I don't see sap.com over https. If it is not using https, the traffic is not encrypted, hence decryption is not necessary to those websites.

In case I do not have the correct URL and you see it over https, you can follow this document to exclude just one URL from being decrypted: How to Exclude a Single URL from SSL Decryption.

This can also be done on GUI by importing the certificate of that website on to the firewall under Device>Certificates>Import and mark it for SSL Exclude.

Hope that answers your question.

Regards,

Dileep

L2 Linker

Re: SSL Decryption Whitelisting

If you go to http://www.sap.com and click the login in the upper right, that brings up a login dialog box. The exact URL it is going to is: https://www.sap.com/content/sapcom/global/usa/en_us/registration/login.html

It is important to note, this works fine when you go to that url directly. Only when clicking on the link on the main page does it not work.

Highlighted
L3 Networker

Re: SSL Decryption Whitelisting

For what it is worth, my Palo Alto Firewall 2050 running 4.1.16 has the same issue that you describe bgranholm.

When I click on the login link on sap.com, the link directs me to https://accounts.sap.com/saml2/idp/sso/accounts.sap.com which is obviously an SAML2 SSO redirect.  This never completes.

dreputi's method might work depending on where the SSL is failing at.  I suppose one could alternatively create a decryption policy rule to exclude decryption of 155.56.59.145, as that is where accounts.sap.com resolves.   If this works for you, it would allow you to decrypt other aspects of SAP without decryption the SAML server.  I would advise against a FQDN decryption rule and I will mention that this IP will likely change in the future; you will need to keep the decryption rule updated.

In either case, you may need to this command from the CLI to make the change effective: debug dataplane reset ssl-decrypt certificate-cache       And then you may need to restart your Internet browser.

Edwin

L2 Linker

Re: SSL Decryption Whitelisting

Here is what we ended up doing based on the recommendations of our SE.

We created a custom URL category for whitelisting, Then put a new no-decyrpt SSL policy first which keys on the Custom URL Category.

This way, if/when we discover new urls that have issues, we can just add them to the whitelist.

Thanks for all your advice/assistance on this!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!