antivirus feature on https

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

antivirus feature on https

Not applicable

Hi all, i'm currently testing some features of our PA-500, i've activated the antivirus policies and going on eicar i can see it blocks the download of the file, when i try to download from https the download proceed. How i can check and block antivirus threat over https session?

The version of os is 4.1 and i've done all features update.

Thanks to all.

1 ACCEPTED SOLUTION

Accepted Solutions

Check the SSL Decryption technote: https://support.paloaltonetworks.com/index.php?option=com_pan&task=dl_tech_doc&filename=SSL-Decrypti...

What you do is basically:

1) Create a new CA (as a test this can be done with openssl) - set expiration for 10 years or so (if you set for example 1 year you would need to redo this work once a year so its up to any ceritifcation policies at your workplace which expiration times are allowed).

2) Import this CA cert to your PA device.

3) Setup decryption policy in your PA device (for example if you only want to inspect SSL traffic your clients have towards Internet but not towards your own DMZ).

4) Import the public key of the CA into your clients.

The last part is only to make this transparent for the clients - otherwise they will get an warning in their webbrowser that the cert used by the site the client is visiting isnt "trusted". Of course the client could just allow it anyway or for that matter install the cert to avoid get a warning next time - but PA will on the fly generate a new "MITM" cert next time the client visits the particular url.

A good way to test if your SSL-termination is setup correctly is to visit and download the eicar testfile from (both http and https options are available along with .exe and .txt): http://www.eicar.org/85-0-Download.html (for more information: http://www.eicar.org/86-0-Intended-use.html).

Edit: Point 2 above is the private (and public if im not mistaken) key of the CA.

That is because the PA will on the fly generate a new "faked" (MITM - Man In The Middle) cert using this CA cert before sending the traffic to the client (who if point 4 above is done will not notice that its being inspected (unless the client manually inspect the cert received and will notice that the issuer is changed and that the fingerprint (compared to the original cert) doesnt match (if the visited site have published their fingerprints online or if the client some other way knows what the correct fingerprint is)).

View solution in original post

15 REPLIES 15

L3 Networker

Hi,

You will have to configure ssl decryption for this.

how exacly? Can you be more explicit in your explaination? I have done a Decrypt policy but it seem not working so i suppose i'm doing it wrong.

Thanks

Check the SSL Decryption technote: https://support.paloaltonetworks.com/index.php?option=com_pan&task=dl_tech_doc&filename=SSL-Decrypti...

What you do is basically:

1) Create a new CA (as a test this can be done with openssl) - set expiration for 10 years or so (if you set for example 1 year you would need to redo this work once a year so its up to any ceritifcation policies at your workplace which expiration times are allowed).

2) Import this CA cert to your PA device.

3) Setup decryption policy in your PA device (for example if you only want to inspect SSL traffic your clients have towards Internet but not towards your own DMZ).

4) Import the public key of the CA into your clients.

The last part is only to make this transparent for the clients - otherwise they will get an warning in their webbrowser that the cert used by the site the client is visiting isnt "trusted". Of course the client could just allow it anyway or for that matter install the cert to avoid get a warning next time - but PA will on the fly generate a new "MITM" cert next time the client visits the particular url.

A good way to test if your SSL-termination is setup correctly is to visit and download the eicar testfile from (both http and https options are available along with .exe and .txt): http://www.eicar.org/85-0-Download.html (for more information: http://www.eicar.org/86-0-Intended-use.html).

Edit: Point 2 above is the private (and public if im not mistaken) key of the CA.

That is because the PA will on the fly generate a new "faked" (MITM - Man In The Middle) cert using this CA cert before sending the traffic to the client (who if point 4 above is done will not notice that its being inspected (unless the client manually inspect the cert received and will notice that the issuer is changed and that the fingerprint (compared to the original cert) doesnt match (if the visited site have published their fingerprints online or if the client some other way knows what the correct fingerprint is)).

Hi i have generated the certificate directly from Paloalto, the problem was that the name of certificate. We have ricreate the certificate with name the ip address of appliance and now it seem's to be working better. Now using the eicar download test, trying to download a file in http i see a blocked response web page, and in https it remain in working and remain in cycling. It doesn't display the response page but don't proceed to download of the file. Have you seen the same behavior ?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!