Management Articles

Announcements
Customer Notice: we are currently experiencing login issues with Live. We are working to resolve this as quickly as possible. Thanks for your patience.

Decrypting Traffic from Google Drive Client Software Breaks Connection

by Phoenix on ‎04-04-2014 07:46 AM - edited on ‎09-01-2015 03:21 AM by (11,181 Views)

Issue

When using the Google Drive client software with decryption enabled on the Palo Alto Networks firewall, the connection breaks and the Google Drive software does not synchronize files to the cloud.

 

Cause

The Palo Alto Networks firewall does not identify Google Drive client software as "Google Drive" through the application database. Instead, this traffic is identified as "SSL." If decryption is enabled on the Palo Alto Networks firewall for SSL traffic, the traffic generated by the Google Drive Client application fails decryption. This is because when SSL Decryption is enabled, the Palo Alto Networks device receives the external site's certificate and sends its own self-signed certificate to the end client. When the client encrypts the traffic using this certificate, the Palo Alto Networks device can decrypt, inspect, then encrypt the traffic using the real certificate of the website.

 

When the Google Drive client software, installed on a desktop, attempts to connect to the Google server, it expects to receive a valid certificate from the Google server. With SSL decryption enabled, the Google Drive client receives an untrusted certificate from the Palo Alto Networks device and the connection ultimately fails.

 

Resolution

There are two options as a workaround to resolve this issue:

  • Configure a no-decrypt policy with a custom url category for the Google Drive website. Now the firewall is configured so that any traffic going to Google Drive site bypasses decryption.
  • Run the Google Drive client software with the unsafe_network flag enabled, so that it accepts untrusted certificates.
    1. Open the Google Drive menu on the desktop and select Quit Google Drive.
    2. Start the command line by running cmd.exe.
    3. On the command line, navigate into the Google Drive folder.
    4. On a 32-bit system, the folder is at <C:\Program Files\Google\Drive>.
    5. On a 64-bit system, the folder is at C:\Program Files (x86)\Google\Drive.
    6. C:\Program Files (x86)\Google\Drive>googledrivesync.exe --unsafe_network
      Capture.JPG

The Google Drive software client synchronizes after a few minutes.

Note: For this option, each time the Google Drive client is opened, it must be started in this mode from the command prompt. If there are many users in the network, running Google Drive client in this mode for everyone can become a complex task. For this reason, consider running a script on the system.

 

Note: This issue exists for other client-based applications like Twitter or Dropbox, when trying to verify the certificate.

 

See Also

Controlling SSL Decryption

 

owner: ssunku

Comments
by minow
on ‎10-13-2014 03:59 AM

refering to this post

https://productforums.google.com/forum/#!msg/drive/u5gRciYmyr4/mu1HsmbXAl4J

it seems that when disabling this feature you remove and certificate validation from the google drive client and not using the browser / OS validation mechanism so when the client is not behind the PA anyone on the internet may do 'man in the middle' attack

by cshaffer
on ‎03-13-2015 11:39 AM

Not sure how this article actually solves bypassing decryption for google drive. Setting a custom URL category and applying it to the no decrypt policy doesn't actually let google drive connect. You have to create a separate no decrypt rule, and specify the destination fqdn's / IPs.

I wish this article would provide a step by step to getting the URL category to work or make a correction that states if using the App itself, you have to bypass by IPs.

by steve.obrien
on ‎04-08-2015 10:36 AM

It would be nice if you gave us the URL(s) for what to not decrypt (option 1) since option 2 does not look like something anyone wants to do on a enterprise scale.

by alittler
on ‎07-07-2015 01:38 PM

Not only is option 2 not really a nice solution, it does not work (at least for my environment). Can this get updated with the proper information?

by minow
on ‎07-08-2015 10:33 AM

try to catch with wireshark what certificate is presented to the client and then you will probably know the domain for the bypass.

for enterprise scale i am not sure yout would like "google drive" like application

by alittler
on ‎07-09-2015 02:48 PM

If anyone is still having issues with this I found a work around. It is definitely a problem with decryption, as having a test user completely bypass decryption allows it work flawlessly. What I have done is create a no decrypt policy that stays away from a list of urls found here: http://support.google.com/docs/answer/2589954?hl=en and include the url category of online-storage-and-backup as well as search-engines.

by bbilut
on ‎08-10-2015 04:47 AM

Link doesn't work.

by alittler
on ‎08-10-2015 11:40 AM

Sorry about that, when clicking the link it removes the colon after the "http" for some reason. Adding that back in should fix the issue. Otherwise searching for "Google drive firewall and proxy settings" and clicking the first link does the trick.

by bbilut
on ‎08-10-2015 12:22 PM

Yes, I see that now. Thanks! Yea... I found that article. I put them all in, but I can not do these two, or I will loose my safe search enforcement and my youtube safety mode enforcement.

  • video.google.com:443/HTTPS
  • www.google.com:443/HTTPS

It's weird because the --unsafe_network does not work by itself, I'm having to add those URL's minus the ones I listed and I left out the urls with the --unsafe_network. The --unsafe_network does not work with listed the URL as no decrypt. Weird?

by bbilut
on ‎10-05-2015 05:28 AM

Looks like Google drive has stopped working again. The switch to launch does not seem to work anymore?

Register now
Ask Questions Get Answers Join the Live Community
Contributors