I'm running PA-VM and created with one active rule:
Application: Web Basic Application group (ssl,dns,web-browsing,ping)
SSL Decryption is disabled
I'm facing issues browsing to websites with preconfigured App-ids:
linkedin/soundcloud/batte.net/docs.google.com(any other website specified app-id)
I'm running PA that doesn't have the google-base yet.
"During the SSL encrypted session, the firewall receives server "hello packets", which has the certificate details or the server can send a separate certificate packet. The firewall looks for the X.509 digital certificate received from the server and inspects the common name field in the SSL Handshake Protocol."
I ran it in the Lab, and the results were different:
PC ---> TLS Client Hello(server-name=www.linked.com) ---> FW ---> Linkedin (Sent)
Linkedin ---> TLS Server Hello -- FW ----> DROPPED
Application is listed as linkedin-base with action Discard
Certificate from Linkedin is not sent until Linkedin recevices ACK on the TLS Server Hello.
Which i tested on a pc with direct internet access, this contradicts the post from Palo Alto Knowledge Base
I tested HTTP & HTTPS to battle.net
- Dropped and classifed as battle.net in traffic monitor
- HTTP GET is dropped on the firewall side
- Classified as battle.net App-id
- Works succesfully and redirected
- Comman Name in the Certificate provided in Server Certificate is www.battle.net - This should be matched by the app-id engine but is listed as an SSL application
My question is, does it use certificate to match the app-id and/or HTTP Get?
How does the actual matching process work and why doesn't work the same across the board?
Application Version: 497-2688
There are multiple ways that encrypted traffic can still be identified via signatures that don't take into account the CN listed on the certificate. Additionally some app-ids don't take into account the CN of the certificate being exchanged in the handshake at all, and rely strickly on other means.
You are using an extremely outdated, and EOLd, version of PANOS and an extremely outdated content package. The signatures you are using are old enough that I wouldn't expect your traffic to be identifying as the proper app-id anymore with or without decryption.
I upgraded the PA to version 9.0.1.
Now I can the see the added app-id for google-base.
I'm still having the same issue, traffic is being blocked and not using the default web-browsing application.
It's identifying app-id traffic and being discarded, If I add the google-base into the application's inside the rule, it will work.
Is this normal behaviour from PA?
As you mentioed there are multiple means of identifying traffic via signatures.
Can you share any documents that can provide me with ways.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!