Adobe Creative Cloud update and PaloAlto Content-ID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Adobe Creative Cloud update and PaloAlto Content-ID

L3 Networker

Hello,

 

We have several of our users that are using well-known Creative Cloud client to download/manage/update/upload/assess/enhance/whatever their wonderfull Adobe softwares (Aftereffect, DreamWeaver, ...)

 

We have a PA with application-based policies.

 

We deny all traffic that rely on "ms-update" application by default (because we have WSUS in place and we don't want users to perform OS updates on their own or even unexpected).

 

The issue is that it seems that a lots of (all?) Adobe CC updates are identified by PA as "ms-updates" traffic. I put that in evidence by issuing PCAP capture on the PA device filtered on the source IP of one workstation that is facing this issue and I saw lots of HTTP GET to *msupdate" as well as *adobe.com* destinations at the same time...

 

My question is : How to allow Adobe CC related traffic while denying "real" MS updates traffic ?

 

Kind Regards,

 

Laurent

9 REPLIES 9

Cyber Elite
Cyber Elite

I'm not sure that Adobe comes from one IP Range but I assume that it does, that would be one way if you can allow the traffic just to that range.

Hello,

 

unfortunately it relies on Akamai-like technologies : no way to identify IP ranges...

That's unfortunate. Few quick questions

1) Do you decrypt traffic at all?

2) Have you already reported the issue to TAC at all?

Hello,

 

1) No we don't decrypt trafic yet. Indeed I was thinking that this could help to deal with, however I'm afraid of the drawbacks involved by decrypting HTTPS traffic.

 

2) No I was just sharing my thoughts here for the instance.

 

Laurent

After spending several hours to analyze the behaviour, trying to replicate the issue and so on I can finally say that is is really tricky to handle.

Indeed, it involves both HTTP and HTTPS traffic, and I'm pretty sure there are very tight links with MS updates, since along with all replications of the issue I could see HTTP GET request to www.download.windowsupdate.com (User-Agent: Microsoft-CryptoAPI/6.1)

I tried to define custom apps for Adobe requests and MSupdate requests (based on the User Agent) but it still didn't work.

 

Finally I opened all tcp 80 / 443 for the users, allowing the updates to achieve and then deletes the rule and that did the trick.

 

To summarize : it would be really helpfull if PaloAlto could release an efficient contend-id signature for all these Adobe Creative Cloud related traffic...

L0 Member

Hi,

 

You can exclude adobe traffic with this format *.adobe.*

 

Because it comes with a few sites other than *.adobe.com.

 

L2 Linker

hi,

have you found a solution?

br

L0 Member

組織禁止client對外進行ms-update的政策, 會造成 Adobe CC無法下載

一直到今日, 這個情況仍持續發生... 

PA真的無法識別流量or目標, 讓application識別出Adobe CC嗎? 

Community Team Member

Hi @EVERPRO ,

 

For Palo Alto Networks firewalls to correctly identify and allow Adobe Creative Cloud traffic, you should ensure that the following are in place:

 

  • App-ID: Make sure the firewall has the latest application and threat content updates.

  • Decryption: Without SSL decryption enabled, the firewall can only see encrypted traffic and may not be able to identify the specific application accurately. Decrypting the traffic allows the firewall to apply the correct App-ID.

  • Security Policy: You need a security policy rule that specifically allows the Adobe Creative Cloud App-ID.

If you have all of these configured and are still experiencing issues, you should check the traffic logs on the firewall. 

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 8596 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!