Some users started to use SoftEther VPN client on our company which allows them to bypass URL Filtering policy. How can we allow them to use VPN client but still allow or block access to certain websites. We already implemented SSL decryption rule but it is not working when they are using SoftEther VPN.
Hi @kiwi ,
Decyption is working. Based on monitoring logs, when using VPN client, all traffic are identied as:
IP Protocol: TCP
Hi @nredaj ,
How is decryption working ?
If the application is identified as SSL then decryption isn't working.
Note that on some scenarios decryption is impossible ... for example when unsupported protocols or ciphers are used or with certificate pinning for example.
Hi @nredaj ,
You might be hitting this which could explain why a decrypted session is still showing up as SSL :
Have you checked with support already ?
Hmm, I think the ssl decryption here will not be as helpful as usual. you will only decrypt the outer wrapper (the actual tunnel) any ssl packets running through the tunnel will not be decrypted as negotiation for these will have taken place end to end via the tunnel, not the palo.
I would agree with @MickBall in this case. Decrypting this traffic isn't going to give you much information and won't allow you to actually perform URL FIltering; this is actually the exact reason VPNs are recommended on untrusted networks, the network operator can't decrypt enough of the traffic to actually see anything useful.
I understand that this could be out of Palo Alto's FW scope.
This is a bit frustrating. Configuring static route in client side (windows OS) could have solve this issue but the website they're accessing is going thru CDN which cause IP address to change from time to time. Probable solution may be work out with SoftEther VPN configuration.
Thank you guys for all your inputs.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!