SSL-decryption slow

Reply
L6 Presenter

Re: SSL-decryption slow

The Common Name says www.facebook.com so it shouldnt be that.

However Facebook seems to use a new cert issued 2012-06-21 that perhaps for some reason isnt recognized by PA as a visit to Facebook?

Is the blockpage not visible even if you do SSL termiantion (ssl-proxy) in your PA towards your clients (because then the PA can look inside the encrypted traffic and see the actual GET/HEAD request and the URI used there)?

Highlighted
L1 Bithead

Re: SSL-decryption slow

Hi,

I have the same issue with other sites like www.flickr.com. Accessing flickr in http, the block page is displaying and trying to access the same page in https, no block page is displaying. As SSL Termination, I’m using ssl-forward-proxy.

L4 Transporter

Re: SSL-decryption slow

I have experienced the same issue with block pages and https. From the cli run the following commands:

config

set deviceconfig setting ssl-decrypt url-proxy yes


This blocks ssl pages, but shows ip:port and category as any in the traffic log.


Ben

L1 Bithead

Re: SSL-decryption slow

Benjamin,

Blocks ssl pages and display the block page?

L4 Transporter

Re: SSL-decryption slow

@BPERE

Sorry, this is not part of the blocking of the https web page. The blocking is still performed by the URL Filtering engine. It does allow the Palo Alto firewall to display the block page rather than a default browser error page. In the URL filtering log it will display the ip:port rather than https://www.facebook.com.

Ben

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!