01-05-2012 02:56 AM
Hi all, i'm currently testing some features of our PA-500, i've activated the antivirus policies and going on eicar i can see it blocks the download of the file, when i try to download from https the download proceed. How i can check and block antivirus threat over https session?
The version of os is 4.1 and i've done all features update.
Thanks to all.
01-08-2012 09:03 AM
Check the SSL Decryption technote: https://support.paloaltonetworks.com/index.php?option=com_pan&task=dl_tech_doc&filename=SSL-Decrypti...
What you do is basically:
1) Create a new CA (as a test this can be done with openssl) - set expiration for 10 years or so (if you set for example 1 year you would need to redo this work once a year so its up to any ceritifcation policies at your workplace which expiration times are allowed).
2) Import this CA cert to your PA device.
3) Setup decryption policy in your PA device (for example if you only want to inspect SSL traffic your clients have towards Internet but not towards your own DMZ).
4) Import the public key of the CA into your clients.
The last part is only to make this transparent for the clients - otherwise they will get an warning in their webbrowser that the cert used by the site the client is visiting isnt "trusted". Of course the client could just allow it anyway or for that matter install the cert to avoid get a warning next time - but PA will on the fly generate a new "MITM" cert next time the client visits the particular url.
A good way to test if your SSL-termination is setup correctly is to visit and download the eicar testfile from (both http and https options are available along with .exe and .txt): http://www.eicar.org/85-0-Download.html (for more information: http://www.eicar.org/86-0-Intended-use.html).
Edit: Point 2 above is the private (and public if im not mistaken) key of the CA.
That is because the PA will on the fly generate a new "faked" (MITM - Man In The Middle) cert using this CA cert before sending the traffic to the client (who if point 4 above is done will not notice that its being inspected (unless the client manually inspect the cert received and will notice that the issuer is changed and that the fingerprint (compared to the original cert) doesnt match (if the visited site have published their fingerprints online or if the client some other way knows what the correct fingerprint is)).
01-05-2012 04:56 AM
Hi,
You will have to configure ssl decryption for this.
01-05-2012 05:29 AM
how exacly? Can you be more explicit in your explaination? I have done a Decrypt policy but it seem not working so i suppose i'm doing it wrong.
Thanks
01-08-2012 09:03 AM
Check the SSL Decryption technote: https://support.paloaltonetworks.com/index.php?option=com_pan&task=dl_tech_doc&filename=SSL-Decrypti...
What you do is basically:
1) Create a new CA (as a test this can be done with openssl) - set expiration for 10 years or so (if you set for example 1 year you would need to redo this work once a year so its up to any ceritifcation policies at your workplace which expiration times are allowed).
2) Import this CA cert to your PA device.
3) Setup decryption policy in your PA device (for example if you only want to inspect SSL traffic your clients have towards Internet but not towards your own DMZ).
4) Import the public key of the CA into your clients.
The last part is only to make this transparent for the clients - otherwise they will get an warning in their webbrowser that the cert used by the site the client is visiting isnt "trusted". Of course the client could just allow it anyway or for that matter install the cert to avoid get a warning next time - but PA will on the fly generate a new "MITM" cert next time the client visits the particular url.
A good way to test if your SSL-termination is setup correctly is to visit and download the eicar testfile from (both http and https options are available along with .exe and .txt): http://www.eicar.org/85-0-Download.html (for more information: http://www.eicar.org/86-0-Intended-use.html).
Edit: Point 2 above is the private (and public if im not mistaken) key of the CA.
That is because the PA will on the fly generate a new "faked" (MITM - Man In The Middle) cert using this CA cert before sending the traffic to the client (who if point 4 above is done will not notice that its being inspected (unless the client manually inspect the cert received and will notice that the issuer is changed and that the fingerprint (compared to the original cert) doesnt match (if the visited site have published their fingerprints online or if the client some other way knows what the correct fingerprint is)).
01-10-2012 12:37 PM
Hi i have generated the certificate directly from Paloalto, the problem was that the name of certificate. We have ricreate the certificate with name the ip address of appliance and now it seem's to be working better. Now using the eicar download test, trying to download a file in http i see a blocked response web page, and in https it remain in working and remain in cycling. It doesn't display the response page but don't proceed to download of the file. Have you seen the same behavior ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!