SSL Sites bypass URL Category block

Reply
L6 Presenter

Re: SSL Sites bypass URL Category block

You define for which zones and ipaddresses and/or users along with categories you wish to enable ssl decryption for.

In you case perhaps something like:

srczone: clients

dstzone: internet

srcip: any

dstip: any

user: any

categories: (select all categories, dont know if "any" exists yet).

action: decrypt

This way as soon as a ssl handshake is seen the PA will intercept depending on if you set this up as ssl-proxy (common when intercepting outgoing clients) or ssl inspection (common when intercepting incoming clients towards one of your servers which you have the private key for).

Previously there have been issues with 2000-series when there were to many concurrent ssl decryptions (because at 2000-series and below the mgmtplane is involved into creating the faked cert on the fly). I dont know if this has been fixed yet (I think it is).

Also note in order to make this transparent for the clients you need to import the CA cert (well the public part of what you imported into your PA device) as a trusted CA in your clients (can be done through group policy). Also you can use a second cert (and not import this one in your clients) which PA can use for ssl sessions that couldnt be verified (for example if the cert from the server at internet is expired, revoked or such).

L4 Transporter

Re: SSL Sites bypass URL Category block

Usually, Google services are fully compatible with SSL decryption.

If you want to activate it only for Google, create SSL Decryption rules only for the following ranges:

ip4:216.239.32.0/19

ip4:64.233.160.0/19

ip4:66.249.80.0/20

ip4:72.14.192.0/18

ip4:209.85.128.0/17

ip4:66.102.0.0/20

ip4:74.125.0.0/16

ip4:64.18.0.0/20

ip4:207.126.144.0/20

ip4:173.194.0.0/16

Not applicable

Re: SSL Sites bypass URL Category block

I found that if you define an application in the rules that also does URL filtering it needs to decrypt the packet to decipher the application.  One way is to use http and https ports.

For example your rule to block a website might look like:

srczone: trust

dstzone: untrust

application: web-browsing

action: allow

profile: URL filtering

Change to:

srczone: trust

dstzone: untrust

service: service-http, service-https

action: allow

profile: URL filtering

Just was one thing I came across that sounds close.  The other option is of course adding certificates.

L6 Presenter

Re: SSL Sites bypass URL Category block

Sounds odd... when you use url filter without decryption then the url filter can only look at the CN part of the certs passing through. This will also mean that the identified application will most likely just be "ssl" (and "web-browsing" for the cleartext stuff).

If you enable decryption then the real appid (lets say youtube or whatever) will be identified and the full url will be logged (and handled by the filters) aswell.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!