Decrypting Traffic from Google Drive Client Software Breaks Connection

Printer Friendly Page


When using the Google Drive client software with decryption enabled on the Palo Alto Networks firewall, the connection breaks and the Google Drive software does not synchronize files to the cloud.



The Palo Alto Networks firewall does not identify Google Drive client software as "Google Drive" through the application database. Instead, this traffic is identified as "SSL." If decryption is enabled on the Palo Alto Networks firewall for SSL traffic, the traffic generated by the Google Drive Client application fails decryption. This is because when SSL Decryption is enabled, the Palo Alto Networks device receives the external site's certificate and sends its own self-signed certificate to the end client. When the client encrypts the traffic using this certificate, the Palo Alto Networks device can decrypt, inspect, then encrypt the traffic using the real certificate of the website.


When the Google Drive client software, installed on a desktop, attempts to connect to the Google server, it expects to receive a valid certificate from the Google server. With SSL decryption enabled, the Google Drive client receives an untrusted certificate from the Palo Alto Networks device and the connection ultimately fails.



There are two options as a workaround to resolve this issue:

  • Configure a no-decrypt policy with a custom url category for the Google Drive website. Now the firewall is configured so that any traffic going to Google Drive site bypasses decryption.
  • Run the Google Drive client software with the unsafe_network flag enabled, so that it accepts untrusted certificates.
    1. Open the Google Drive menu on the desktop and select Quit Google Drive.
    2. Start the command line by running cmd.exe.
    3. On the command line, navigate into the Google Drive folder.
    4. On a 32-bit system, the folder is at <C:\Program Files\Google\Drive>.
    5. On a 64-bit system, the folder is at C:\Program Files (x86)\Google\Drive.
    6. C:\Program Files (x86)\Google\Drive>googledrivesync.exe --unsafe_network

The Google Drive software client synchronizes after a few minutes.

Note: For this option, each time the Google Drive client is opened, it must be started in this mode from the command prompt. If there are many users in the network, running Google Drive client in this mode for everyone can become a complex task. For this reason, consider running a script on the system.


Note: This issue exists for other client-based applications like Twitter or Dropbox, when trying to verify the certificate.


See Also

Controlling SSL Decryption


owner: ssunku

Tags (5)

refering to this post!msg/drive/u5gRciYmyr4/mu1HsmbXAl4J

it seems that when disabling this feature you remove and certificate validation from the google drive client and not using the browser / OS validation mechanism so when the client is not behind the PA anyone on the internet may do 'man in the middle' attack

Not sure how this article actually solves bypassing decryption for google drive. Setting a custom URL category and applying it to the no decrypt policy doesn't actually let google drive connect. You have to create a separate no decrypt rule, and specify the destination fqdn's / IPs.

I wish this article would provide a step by step to getting the URL category to work or make a correction that states if using the App itself, you have to bypass by IPs.

It would be nice if you gave us the URL(s) for what to not decrypt (option 1) since option 2 does not look like something anyone wants to do on a enterprise scale.

Not only is option 2 not really a nice solution, it does not work (at least for my environment). Can this get updated with the proper information?

try to catch with wireshark what certificate is presented to the client and then you will probably know the domain for the bypass.

for enterprise scale i am not sure yout would like "google drive" like application

If anyone is still having issues with this I found a work around. It is definitely a problem with decryption, as having a test user completely bypass decryption allows it work flawlessly. What I have done is create a no decrypt policy that stays away from a list of urls found here: and include the url category of online-storage-and-backup as well as search-engines.

Link doesn't work.

Sorry about that, when clicking the link it removes the colon after the "http" for some reason. Adding that back in should fix the issue. Otherwise searching for "Google drive firewall and proxy settings" and clicking the first link does the trick.

Yes, I see that now. Thanks! Yea... I found that article. I put them all in, but I can not do these two, or I will loose my safe search enforcement and my youtube safety mode enforcement.


It's weird because the --unsafe_network does not work by itself, I'm having to add those URL's minus the ones I listed and I left out the urls with the --unsafe_network. The --unsafe_network does not work with listed the URL as no decrypt. Weird?

Looks like Google drive has stopped working again. The switch to launch does not seem to work anymore?

The good things is that google drive is now categorized correctly. Just exclude online storage and backup from decryption.

That takes care of google drive, One drive e.t.c

Does anyone know how we can get the new Google Drive File Stream to cooperate?  I am still getting delays when trying to sync.  I got Dropbox working but trying to ensure that this works.



to update this kb. 


Running 8.1 with app-id 8069-5027 (09/25/18)


Google File Stream version (2018)) required to be bypassed and once bypassed data filtering was picking up the files. 


With Google Backup and Sync 3.42.9858.3671 also required me to bypass *