05-04-2017 07:29 AM
Hello,
We have several of our users that are using well-known Creative Cloud client to download/manage/update/upload/assess/enhance/whatever their wonderfull Adobe softwares (Aftereffect, DreamWeaver, ...)
We have a PA with application-based policies.
We deny all traffic that rely on "ms-update" application by default (because we have WSUS in place and we don't want users to perform OS updates on their own or even unexpected).
The issue is that it seems that a lots of (all?) Adobe CC updates are identified by PA as "ms-updates" traffic. I put that in evidence by issuing PCAP capture on the PA device filtered on the source IP of one workstation that is facing this issue and I saw lots of HTTP GET to *msupdate" as well as *adobe.com* destinations at the same time...
My question is : How to allow Adobe CC related traffic while denying "real" MS updates traffic ?
Kind Regards,
Laurent
05-04-2017 08:59 AM
Hello,
unfortunately it relies on Akamai-like technologies : no way to identify IP ranges...
05-04-2017 12:23 PM
That's unfortunate. Few quick questions
1) Do you decrypt traffic at all?
2) Have you already reported the issue to TAC at all?
05-05-2017 12:17 AM
Hello,
1) No we don't decrypt trafic yet. Indeed I was thinking that this could help to deal with, however I'm afraid of the drawbacks involved by decrypting HTTPS traffic.
2) No I was just sharing my thoughts here for the instance.
Laurent
05-08-2017 04:51 AM - edited 05-08-2017 04:52 AM
After spending several hours to analyze the behaviour, trying to replicate the issue and so on I can finally say that is is really tricky to handle.
Indeed, it involves both HTTP and HTTPS traffic, and I'm pretty sure there are very tight links with MS updates, since along with all replications of the issue I could see HTTP GET request to www.download.windowsupdate.com (User-Agent: Microsoft-CryptoAPI/6.1)
I tried to define custom apps for Adobe requests and MSupdate requests (based on the User Agent) but it still didn't work.
Finally I opened all tcp 80 / 443 for the users, allowing the updates to achieve and then deletes the rule and that did the trick.
To summarize : it would be really helpfull if PaloAlto could release an efficient contend-id signature for all these Adobe Creative Cloud related traffic...
10-19-2023 01:33 AM
hi,
have you found a solution?
br
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
