dropbox - ssl decryption

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

dropbox - ssl decryption

L4 Transporter

Hey all,

I am using dropbox on my PC and ssl decryption has been enabled on my Palo Alto. I added my PA root cert to my trusted certificates on my computer and am not getting any complains from my browser when surfing to https websites.

However, my dropbox application is complaining that it can not make a secure connection to the internet.

And yes, I have internet connectivity 🙂

I've tried creating a custom URL category containing dropbox.com and *.dropbox.com, but this did not resolve the problem.

When checking the monitor, I see some traffic identified as dropbox, but going to random public IP addresses (as expected for a CDN).

I found some post stating that dropbox can not be decrypted, if this is the case, sad but no problem, but how can I exclude it?

Kind regards,

Bob

1 accepted solution

Accepted Solutions

L5 Sessionator

Hello Bob,

You can use the following command to exclude individual urls.

# set shared ssl-decrypt ssl-exclude-cert <value>

In your case it would be:

# set shared ssl-decrypt ssl-exclude-cert "*.dropbox.com"

# commit

The result will create an exclude rule for a single URL. After adding the exclusion rule you may need to refresh your browser to have it recognize the actual server certificate, as opposed to the self-signed cert from the Palo Alto Networks device.

Verification can be done using the following command:

admin@88-PA-VM# show shared ssl-decrypt

ssl-decrypt {

  ssl-exclude-cert *.dropbox.com;

  trusted-root-CA;

}

Let me know if that helps!

Thanks and regards,

Kunal Adak

View solution in original post

6 REPLIES 6

L5 Sessionator

Hello Bob,

You can use the following command to exclude individual urls.

# set shared ssl-decrypt ssl-exclude-cert <value>

In your case it would be:

# set shared ssl-decrypt ssl-exclude-cert "*.dropbox.com"

# commit

The result will create an exclude rule for a single URL. After adding the exclusion rule you may need to refresh your browser to have it recognize the actual server certificate, as opposed to the self-signed cert from the Palo Alto Networks device.

Verification can be done using the following command:

admin@88-PA-VM# show shared ssl-decrypt

ssl-decrypt {

  ssl-exclude-cert *.dropbox.com;

  trusted-root-CA;

}

Let me know if that helps!

Thanks and regards,

Kunal Adak

Thanks, I'm able to connect now

Note however that this mean that all dropbox traffic will bypass without being inspected nor logged which will introduce a huge security hole in your infrastructure.

If im not mistaken you could use the webclient instead (that is through webbrowser) and having your PA device inspecting the traffic securely (including threats, DLP, logging etc).

L3 Networker

I have the same problem and tried "set shared ssl-decrypt ssl-exclude-cert "*.dropbox.com" "; but, I am still having the issue. It is intermittent, it works fine for most of the time, but once in a while I get the red X and the "Can't establish a secure connection" error.

L0 Member

Is there a way to get the Palo to inspect the traffic and not have the agent break?

 

This is pretty common and leads to having too many excemptions to SSL inspection. 

 

I appreciate that dropbox (and others) basically are preventing this man in the middle, but for an enterprise we need to be able to inspect this traffic?


Has anyone been able to get the dropbox agent/and site to work with the Palo cert?

Ultimately we are going to just allow downloads (so that would probably be ok) and block everything else so it will probably be ok once we remove the whitelist, I just want to test with a smaller group prior to rollout.

 

Thanks,

Hi @BrentGunn 

 

Because the dropbox application is doing certificate pinning, there is no way to get this working with decryption enabled. However accessing the dropbox website is working fine with TLS decryption enabled. So if you need to control dropbox traffic the only way is to use the website and not the dropbox application.

  • 1 accepted solution
  • 10095 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!