SSL-decryption slow

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL-decryption slow

L4 Transporter

Hello,

So I have tested SSL decryption today, and I made it work. But for some reason some of the webpages that are being decrypted are extremely slow. Facebook and even support.paloaltonetworks.com are two of them.

I exported a CA certificate from our AD and imported it into the PA as described in a document I found on the knowledgebase.

Look at the attached file for my configuration.

One more thing that is not working is the "block" page when I try to download the eicar test virus file via https.

I can see in the monitor/threat that the file is being blocked but I do not get the block page. Works if I open the eicar virus file via http.

Any suggestions on what the problem can be?

This is an PA-500 with sw version 4.0.3

Jo Christian

/Jo Christian
14 REPLIES 14

Not applicable

Hi,

I have a similar install than you, but I don't put URL categories filters in decrypt rules (I left it to 'Any') and it works like a charm.

Also are you using some user identification? May be with a captive portal ?

@lardsa

I also have a similar setup to yourself, but I've found that SSL decryption can be very slow on some website including the PAN support portal. I've had to put a rule in to not decrypt the effected websites and the performace then returns.

Can anyone from PAN explain why these performance issues are happening and what else (other than not to decrypt them) can be done to fix it.

I've used other web scanning products with SSL decryption and I've not experienced these sort of performance issues before.

@lardsa

Yes I have tried setting the categories filter to "Any", but it's still a problem.
How does your setup work against https://facebook.com? Take minutes for my setup to open it up when ssl decrypt is enabled.

Yes we use user identification (but not captive portal).

Jo Christian

/Jo Christian

Only website that shows slowness for my users with decryption enabled is Google Mail and only with Chrome (IE & Firefox are ok).

I have a support ticket opened for that.

Ok,

So I tested with IE and it things seems to be abit smoother. I always use Chrome.

But what can be the reason for this?

Btw does the block page work for you when trying to open https://secure.eicar.org/eicar_com.zip ?

If antivirus profile is enabled. I see in the log that the file is blocked but I don't get the webpage.

Chrome just hang trying to load the "page/file".

Work as it should if I try to download the file when not using ssl/https.

Jo Christian

/Jo Christian

Ok I confirm Block page is not appearing while it does on non SSL one.

Did you retry since 4.0.4 was released ? It has some SSL fixes in release notes ...

Any news about this issue?

Block-Page didn't display if trying to access https webpages .

ex.

http://www.facebook.com --> Block page is displaying

https://www.facebook.com --> No block page is displaying

Im using version 4.1.4

I have the no block page on ssl issue as well
4.0.9 - 4020

The Common Name says www.facebook.com so it shouldnt be that.

However Facebook seems to use a new cert issued 2012-06-21 that perhaps for some reason isnt recognized by PA as a visit to Facebook?

Is the blockpage not visible even if you do SSL termiantion (ssl-proxy) in your PA towards your clients (because then the PA can look inside the encrypted traffic and see the actual GET/HEAD request and the URI used there)?

Hi,

I have the same issue with other sites like www.flickr.com. Accessing flickr in http, the block page is displaying and trying to access the same page in https, no block page is displaying. As SSL Termination, I’m using ssl-forward-proxy.

L4 Transporter

I have experienced the same issue with block pages and https. From the cli run the following commands:

config

set deviceconfig setting ssl-decrypt url-proxy yes


This blocks ssl pages, but shows ip:port and category as any in the traffic log.


Ben

Benjamin,

Blocks ssl pages and display the block page?

@BPERE

Sorry, this is not part of the blocking of the https web page. The blocking is still performed by the URL Filtering engine. It does allow the Palo Alto firewall to display the block page rather than a default browser error page. In the URL filtering log it will display the ip:port rather than https://www.facebook.com.

Ben

  • 9528 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!