This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Action and Session End Reason conflict when SSL decryption enabled

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Action and Session End Reason conflict when SSL decryption enabled

nikoo
L3 Networker

‎06-19-2017 08:03 AM

Hi,

 

SSL decryption was turned on for one of the inside servers. Although it looks good, but some of the logs are rather strange.

There are sessions like these:session1.png

Basically  Action - Allow, Rule is hitting correct one (the one permitting the traffic), but Type is Deny and Session End Reason is policy-deny. That looks false to me and it seems that traffic is permitted indeed. Can check more with captures, etc., but has anyone seen such an effect?

 

 PAN-OS: 8.0.2

5 people had this problem.
0 Likes Likes
16 REPLIES 16

Brandon_Wertz
L6 Presenter

‎06-19-2017 08:14 AM

I could be wrong, but to me it looks like this is normal.  This is why I think so:

 

You're getting an "allow" because it's matching a layer 3 / 4 "allow" but then if you were to look at the magnifying glass you'd see a deny type log (for Layer 7 controls) but the details of those specific logs would help clarify more as to what exactly was going on.

0 Likes Likes

BPry
Cyber Elite
Cyber Elite

‎06-19-2017 08:19 AM

@nikoo,

Does this eventually shift away from SSL and into a more specifc app-id. One thing to keep in mind as well is that your traffic could be attempting to shift to 'web-browsing' and if you have your service set as 'application default' obviously web-browsing no-longer matches your rule. Without knowing the detailed logs or what your policy actually looks like I wouldn't be able to say for certain. 

0 Likes Likes

Remo
L7 Applicator
In response to BPry

‎06-19-2017 08:27 AM - edited ‎06-19-2017 08:39 AM

Today we also found a lot of these entries on our firewall. The strange thing is: its exacly this log entry as on the screenshot from @nikoo, no url log, no threat log ... nothing. Only this type deny log with the action allow and the session end reason policy deny

 

Edit: I have now seen these logs on 3 different hardware series running 8.0.2. So the only thing I know, it is not hardware related

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to Remo

‎06-19-2017 08:45 AM

@Remo @nikoo,

Could you guys post your dynamic update versions so we can see if any of those match. It sounds like you'll both likely want to open a Tac case or reach out to your SE to pass along the infromation, but if we could find any additional common ground that may be shared other than simply 8.0.2 that would be great. I imagine that while 8.0.2 is a shared trait if it was specific to that software version by itself the issue would have already presented itself. 

0 Likes Likes

Brandon_Wertz
L6 Presenter
In response to BPry

‎06-19-2017 09:05 AM

I'm running 5060s on 7.1.8:

 
Application Version 709-4078 (06/13/17)

Threat Version 709-4078 (06/13/17)

Antivirus Version 2279-2767 (06/19/17)

 

I saw the same type logs on my FW.  I think the this might be "normal" as described by my comment above.  Maybe not though, unless some can refute my assumptions?

0 Likes Likes

Remo
L7 Applicator
In response to Brandon_Wertz

‎06-19-2017 09:16 AM

2 cluster have the same versions mentionned by @Brandon_Wertz installed and 1 cluster has app&threat 708-4066 and av version 2278-2766 installed.

 

@Brandon_Wertz

Of coulse it could be absolutely normal ... but when I read the first post on this topic and then checked my logs I thought there should be another log (url/threat) which indicates the reason of this "policy deny"

0 Likes Likes

Brandon_Wertz
L6 Presenter
In response to Remo

‎06-19-2017 09:35 AM

Here's a detailed log view from one session on my FW

 

Traffic_Log.PNG

0 Likes Likes

Remo
L7 Applicator
In response to Brandon_Wertz

‎06-19-2017 09:38 AM - edited ‎06-19-2017 09:56 AM

@Brandon_Wertz

Thats how I was expecting the log should look like. But at least on 8.0.2 other logs exept the traffictype:deny-action:allow are missing.

 

Edit: One cluster was updated on saturday from 7.0.x to 8.0.2. Since then it started with these missing logs. On 7.0.x I haven't had such logs at all with these type/action/session-end-reason --> So it could be a bug of 8.0.2

nikoo
L3 Networker

‎06-19-2017 11:40 PM - edited ‎06-19-2017 11:41 PM

Had to run home yesterday, so didn't elaborate much on details. 🙂 But, yea, there are no additional inspection events related to that specific event - just a one rule hit, which covers all of the possible variations for application shifts on that TCP/443 port, without using application-default behavior. These logs definitely showed up only after enabling SSL decryption for that specific inside server and dissapeared after disabling it, so that may be related to some application shifts happing somewhere under the hood or some inspection profile having some impact.

Here's a sanitized full log entry:

 

session2.png

 

And here's a rule:rule1.png

There are some inspection profiles attached to it, so there is an option to disable them and see if that has any impact on the logs. At the moment decryption is disabled though, so cannot test that.

 

8.0.3 is out - I don't see anything related in the fixed bug section though, but may worth trying.

Cannot tell about 7.0.x or 7.1.x, because had to upgrade to 8.0.x in order to have Inbound SSL decryption for ECDHE.

 

Sitting on 708-4066.

0 Likes Likes

Remo
L7 Applicator
In response to nikoo

‎06-19-2017 11:55 PM

I've opened a TAC case to find out what's going wrong here. Will get back with an update as soon I have new informations.

nikoo
L3 Networker
In response to Remo

‎06-27-2017 01:16 AM

@Remo Hi, did you get any feedback from TAC?

0 Likes Likes

Remo
L7 Applicator
In response to nikoo

‎06-27-2017 01:40 AM

hi @nikoo

 

Unfortunately no useful result so far ...

0 Likes Likes

Remo
L7 Applicator
In response to Remo

‎06-28-2017 04:03 AM

FYI: These logentries are ALL because of decryption errors. In PAN-OS 8 mostly because of client certificates as almost anything else should be decrypted by default. Support is now verifying if it is "expected behaviour" that this "special" decryption-error is shown as "policy-deny" or if this a bug and the log is expected to show "decryption-error".

Remo
L7 Applicator
In response to Remo

‎07-11-2017 10:50 AM

FYI: "The issue is due to a current limitation in identifying session end reasons with SSL code values, which is expected to be fixed in the upcoming maintenance releases (ETA unknown). As of now, the session-end-reason is working as designed and uses the generic "policy-deny" for certain failure condition."
  • 22522 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks