SSL decryption( Some traffic is not decrypted)

Reply
Highlighted
L3 Networker

SSL decryption( Some traffic is not decrypted)

Dear All,

 

I have applied SSL forward decryption in my Paloalto, then i observed some traffic are decrypted and some traffic not decrypt.

Example:- I have applied the decryption in social-networking (Facebook traffic is decrypted but Snapchat traffic is not decrypted,however, both are falling under the social-networking category.)

 

Why it's strange behaviour.

Highlighted
L7 Applicator

Re: SSL decryption( Some traffic is not decrypted)

Hello,

Unfortunately there is some traffic that cannot be decrypted or it will break the connection. Snapchat is one of these as it uses a pinned certificate.

OtakarKlier_0-1581107884919.png

To view the automatically bypassed domains, click the Device tab -> Certificate Management -> SSL Decryption Exclusion

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEzCAK

 

Hope that helps.

Highlighted
L3 Networker

Re: SSL decryption( Some traffic is not decrypted)

@OtakarKlier 

Ok, thanks for the information. it means all the URL/Application which are already in exclusion, will not decrypt?

 

Apart from this if any traffic is not decrypted so what is the issue? 

Highlighted
L7 Applicator

Re: SSL decryption( Some traffic is not decrypted)

@Jafar_Hussain,

Correct; if the domain is listed in the SSL Decryption Exclusion list, the firewall is going to let that through without going through the decryption process so that it doesn't break anything. 

 


@Jafar_Hussain wrote:

Apart from this if any traffic is not decrypted so what is the issue? 


 Can you provide one of the domains that you are running into an issue with that isn't covered by an exclusion? Keep in mind, depending on how you have things configured if the firewall detects that it isn't able to decrypt certain traffic without causing an issue, it will put that into a cache to skip decryption going forward so it doesn't continue to break the site for users. 

Highlighted
L3 Networker

Re: SSL decryption( Some traffic is not decrypted)

@BPry  Thanks for the information.

 

I will keep is in observation. if i found something I will let you know.

Thanks once again.

Highlighted
L3 Networker

Re: SSL decryption( Some traffic is not decrypted)

@BPry @OtakarKlier 

 

I am facing a problem with the certificate(When I enabled the decryption and tried to open the website in Mozilla and internet explorer it is working as expected means it is taking the same self-sign certificate which I have generated).

However, when I tried to access the website in chrome, the browser is not accepting the certificate which is generated by FW. it is taking its own google certificate.

 

Can you help me with this?

Highlighted
L3 Networker

Re: SSL decryption( Some traffic is not decrypted)

 any one can give me reply........

Highlighted
L7 Applicator

Re: SSL decryption( Some traffic is not decrypted)

@Jafar_Hussain,

Can you post the actual website so we can actually take a look at it. 

Highlighted
L3 Networker

Re: SSL decryption( Some traffic is not decrypted)

@BPry 

 

Example:-  For testing, I have created a custom URL category only for (youtube+facebook+netflix). this is policy i mention in decryption rule with decrypt SSL forward proxy. and I have an import certificate already in my machine. when i try to open this URL in Mozilla and Internet explorer it is working as expected both browsers are taking a certificate which i have import however in chrome i can't see the same certificate this browser is taking its own google certificate why ?????

Highlighted
L7 Applicator

Re: SSL decryption( Some traffic is not decrypted)

How do these connecrions look in the traffic log? Could it be possible that they use port 443/udp? 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!