Adobe Creative Cloud update and PaloAlto Content-ID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Adobe Creative Cloud update and PaloAlto Content-ID

L3 Networker

Hello,

 

We have several of our users that are using well-known Creative Cloud client to download/manage/update/upload/assess/enhance/whatever their wonderfull Adobe softwares (Aftereffect, DreamWeaver, ...)

 

We have a PA with application-based policies.

 

We deny all traffic that rely on "ms-update" application by default (because we have WSUS in place and we don't want users to perform OS updates on their own or even unexpected).

 

The issue is that it seems that a lots of (all?) Adobe CC updates are identified by PA as "ms-updates" traffic. I put that in evidence by issuing PCAP capture on the PA device filtered on the source IP of one workstation that is facing this issue and I saw lots of HTTP GET to *msupdate" as well as *adobe.com* destinations at the same time...

 

My question is : How to allow Adobe CC related traffic while denying "real" MS updates traffic ?

 

Kind Regards,

 

Laurent

7 REPLIES 7

Cyber Elite
Cyber Elite

I'm not sure that Adobe comes from one IP Range but I assume that it does, that would be one way if you can allow the traffic just to that range.

Hello,

 

unfortunately it relies on Akamai-like technologies : no way to identify IP ranges...

That's unfortunate. Few quick questions

1) Do you decrypt traffic at all?

2) Have you already reported the issue to TAC at all?

Hello,

 

1) No we don't decrypt trafic yet. Indeed I was thinking that this could help to deal with, however I'm afraid of the drawbacks involved by decrypting HTTPS traffic.

 

2) No I was just sharing my thoughts here for the instance.

 

Laurent

After spending several hours to analyze the behaviour, trying to replicate the issue and so on I can finally say that is is really tricky to handle.

Indeed, it involves both HTTP and HTTPS traffic, and I'm pretty sure there are very tight links with MS updates, since along with all replications of the issue I could see HTTP GET request to www.download.windowsupdate.com (User-Agent: Microsoft-CryptoAPI/6.1)

I tried to define custom apps for Adobe requests and MSupdate requests (based on the User Agent) but it still didn't work.

 

Finally I opened all tcp 80 / 443 for the users, allowing the updates to achieve and then deletes the rule and that did the trick.

 

To summarize : it would be really helpfull if PaloAlto could release an efficient contend-id signature for all these Adobe Creative Cloud related traffic...

L0 Member

Hi,

 

You can exclude adobe traffic with this format *.adobe.*

 

Because it comes with a few sites other than *.adobe.com.

 

L2 Linker

hi,

have you found a solution?

br

  • 6053 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!