05-04-2017 07:29 AM
Hello,
We have several of our users that are using well-known Creative Cloud client to download/manage/update/upload/assess/enhance/whatever their wonderfull Adobe softwares (Aftereffect, DreamWeaver, ...)
We have a PA with application-based policies.
We deny all traffic that rely on "ms-update" application by default (because we have WSUS in place and we don't want users to perform OS updates on their own or even unexpected).
The issue is that it seems that a lots of (all?) Adobe CC updates are identified by PA as "ms-updates" traffic. I put that in evidence by issuing PCAP capture on the PA device filtered on the source IP of one workstation that is facing this issue and I saw lots of HTTP GET to *msupdate" as well as *adobe.com* destinations at the same time...
My question is : How to allow Adobe CC related traffic while denying "real" MS updates traffic ?
Kind Regards,
Laurent
05-04-2017 08:59 AM
Hello,
unfortunately it relies on Akamai-like technologies : no way to identify IP ranges...
05-04-2017 12:23 PM
That's unfortunate. Few quick questions
1) Do you decrypt traffic at all?
2) Have you already reported the issue to TAC at all?
05-05-2017 12:17 AM
Hello,
1) No we don't decrypt trafic yet. Indeed I was thinking that this could help to deal with, however I'm afraid of the drawbacks involved by decrypting HTTPS traffic.
2) No I was just sharing my thoughts here for the instance.
Laurent
05-08-2017 04:51 AM - edited 05-08-2017 04:52 AM
After spending several hours to analyze the behaviour, trying to replicate the issue and so on I can finally say that is is really tricky to handle.
Indeed, it involves both HTTP and HTTPS traffic, and I'm pretty sure there are very tight links with MS updates, since along with all replications of the issue I could see HTTP GET request to www.download.windowsupdate.com (User-Agent: Microsoft-CryptoAPI/6.1)
I tried to define custom apps for Adobe requests and MSupdate requests (based on the User Agent) but it still didn't work.
Finally I opened all tcp 80 / 443 for the users, allowing the updates to achieve and then deletes the rule and that did the trick.
To summarize : it would be really helpfull if PaloAlto could release an efficient contend-id signature for all these Adobe Creative Cloud related traffic...
10-19-2023 01:33 AM
hi,
have you found a solution?
br
08-22-2025 01:10 AM
Hi @EVERPRO ,
For Palo Alto Networks firewalls to correctly identify and allow Adobe Creative Cloud traffic, you should ensure that the following are in place:
App-ID: Make sure the firewall has the latest application and threat content updates.
Decryption: Without SSL decryption enabled, the firewall can only see encrypted traffic and may not be able to identify the specific application accurately. Decrypting the traffic allows the firewall to apply the correct App-ID.
Security Policy: You need a security policy rule that specifically allows the Adobe Creative Cloud App-ID.
If you have all of these configured and are still experiencing issues, you should check the traffic logs on the firewall.
Kind regards,
-Kim.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
