Anydesk issue.

Reply
Highlighted
L1 Bithead

Hi

 

You mean insdide ip address? but how did you manage to avoid decryption for olny anydesk sides?

Highlighted

Hi,

I avoid decryption for whole <private-ip-addr> category, as I could't make it only for anydesk. As I said earlier I tried many combinations.

Highlighted
L0 Member

Any update??? still not working for me.

 

Paloalto has predefined "SSL Descryption Exclusion" for "AnyNet Relay" and "AnyDesk Client" and I manually add "AnyNet Root CA" "*.net.anydesk.com" "net.anydesk.com".

 

Also try with Custom URL List...

Highlighted
L0 Member

Hello,

 

Any update? Anydesk not working for me neither.

 

Regards,

Highlighted
L2 Linker

Having the same issue. Pain in the ass!

Highlighted
L2 Linker

OK got this working for now but not exactly the way I want. 

 

1) Tag

Nehmaan_2-1582713340970.png

 

2) Address Group

Nehmaan_1-1582713306695.png

 

3) SSL Decryption Policy

Nehmaan_3-1582713514583.png

 

4) Log Forwarding

Nehmaan_4-1582713614994.png

 

5) Built-in Actions

Nehmaan_5-1582713658530.png

 

6) Security Rule

Nehmaan_6-1582713791350.png

 

Highlighted
L1 Bithead

Hello, guys!

 

I met this issue and found out the root cause. Many of you know that desktop applications often check certificate. Anydesk does it. So we need to exclude it from SSL decryption, but here is the trick: *.anydesk.com works only for Anydesk website (NGFW detects web-browsing application, see that URL match *.anydesk and exclude the session from decryption), but it doesn't work for the desktop application and here is why: 

I made a little investigation and found out that the application makes DNS query for random URL, generated upon installation. (Guess it called DGA, but correct me if I wrong)

 

Here is an example:1.png

 

Then it establishes TCP session to IP, that was previously taken from DNS Query and that's all:

1 (1).png

So our exclusion rules will not work for IP. 

 

Solution:

 

1. Go to Monitor>Traffic and filter logs by application "Anydesk".

2. Export logs to CSV and open it in Excel

3. Find Destination IP column, select all items and delete duplicates

4. Copy this list to *.txt file and create EDL. 

5. Use this EDL in No-Decrypt policy

6. PROFIT!

 

You also can go further. According to WHOIS service - backend IP addresses are located in different DCs all over the world. You can take IPs you found in logs and find the whole IP ranges in WHOIS info and use these ranges in EDL. But it doesn't seem safe to me, because many of those IPs in IP range can be used by other applications, not Anydesk, so this is a potential risk.

Highlighted
L1 Bithead

Looks cool!

But I think 6 should be after 3. Because you use the security rule name in the filter in Log Forwarding settings

Highlighted
L2 Linker

Yes, On the assumption that the security rules doesn't exist. It does in my case. 

Highlighted
L2 Linker

Hi @Ilya_Kuranov 

 

Could you please show me how to create a custom EDL IPv4 with Minemeld. Currently I have created and using Office365 IPv4 list but I don't know how to create a custome EDL IPv4 list with a text file as you mentioned.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!