Can't access dropbox website .PAN does SSL inspection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Can't access dropbox website .PAN does SSL inspection

Traffic traverse  as below

 

PC(attempting to access dropbox website >Web proxy that does ssl inspection>palo alto  firewall that does ssl inspection and forward drop box traffic to>web proxy that does ssl inspection> drop box website.

 

Symptom: I get dropbox home page but it just hangs at home page and I can't go any further

 

Dropbox access works when I disable ssl inspection on palo alto firewall..

Can someone please help and advice What changes might be needed on my PAN firewall to get things working

Where exactly on panw I should be looking at  and what logging on panw firewall can help me identfy what is going on here?

 

Note:

1)SSL inspection is a must on my proxy and firewall

2)I am not worried about ssl pinned dropbox thick client but need access to dropbox website

3)Other https website I tested just works fine!!

7 REPLIES 7

Hi @dropboxintegration

 

Which dropbox App-ID signature are you using in your security rule? Also, which URL Category do you have configured in your SSL inspection rule?

 

 

L7 Applicator

Hi @dropboxintegration

 

In addition to @acc6d0b3610eec313831f7900fdbd235's questions, what url categories do you allow? Because dropbox also loads some third party content when you open the website ( https://urlscan.io/result/708a0d7a-6695-4d13-8618-c078dc4d7f94#summary ). It could be if some additional ressources are blocked that the site does nor work properly. (I see a similar behaviour when I connect to dropbox with local adblockers enabled).

 

Regards,

Remo

 

PS: Do you really decrypt-encrypt-decrypt-encrypt-decrypt-encrypt (3 times tls decryption) all the encrypted sessions?

Thanks @ Willian @1vsys_remo!
Good question
 Which dropbox App-ID signature are you using in your security rule?
>I am on proxy side and do not have access to PAN so checking with firewall admins and will post.Is there a specific App-id signature we should be using in PAN for dropbox policy.Looks like PAN OS maintain a list of application in default no-decrypt list and dropbox isn't there in the list.

https://live.paloaltonetworks.com/t5/Configuration-Articles/List-of-Applications-Excluded-from-SSL-D...

Are there any special setup required on PAN when we  decrypt dropbox app.
Can dropbox app reliably work when pan decrypt traffic(my proxy can perfectly crack browser based dropbox- exception is ssl pinned dropbox thick client which is expected)
 
Also, which URL Category do you have configured in your SSL inspection rule?
> not sure .I think there is custom  URL category configured on PAN with decryption policy that include the domain  *.dropbox.com
 
@1vsys_remo
Do you really decrypt-encrypt-decrypt-encrypt-decrypt-encrypt (3 times tls decryption) all the encrypted sessions?
No we don't for all encrypted traffic but dropbox has to go through this:)..

Hi @dropboxintegration

Below is an example of the security policy and decryption policy I have running on my lab.

 

In terms of the URL filtering, you can use either approach.

1. You can allow or alert on the online-storage-and-backup category; however, if you have tight restrictions on users accessing online storage websites, then the next option is the most viable.

2. You can include the wildcard *.dropbox.com into the "Allow List" in the URL filtering profile. With this configuration, even if the online-storage-and-backup category is blocked, the Allow list is evaluated before the other categories.

 

3. The third option is the one you mentioned where, you can create a custom URL filtering category, by basicaly doing the same thing as option 2 and specifying the dropbox wildcard domain.

 

 

In my example below, I am allowing the entire category, but just because it is a Lab. As for the App-ID I am allowing the entire dropbox App-ID tree. Remember, that firewall has different sub-applications serving different purposes. Dropbox App-ID is the parent application, hence everything else under that will be allowed in this policy.

Security Policy:

Screen Shot 2017-06-25 at 10.32.14 AM.png

 

In my decryption policy, I am also keeping it simple, and decrypting everything except for Financial and health care.

Decryption PolicyScreen Shot 2017-06-25 at 10.33.35 AM.png

 

 

 

 

 

 

 

If William's post doesnt work, I would highly recommend using the dev tools in Chome which can let you know what resources arent getting through.  We recently opened up Box and there were some backend CDNs that we had to whitelist to get it to work.  Sometimes there are some JS files running on a CDN where if they dont load it hangs the page, which might be your issue.

 

Worst comes to worst, looking at a packet capture on both your local system and on the Palo to see if packets are being sent out of order or if things are getting caught up.

Thanks Willian and ithomas@lb.com!!

We narrowed down the issue to specific version of IE 11.0.9600 that seems to be messing up dropbox traffic. This works fine with chrome!
May be the har capture from IE or tcpdump from local system would give us some clue why it’s failing.. Any thoughts?

Moving to Chrome does seem to fix a lot of issues, which would make me think that its an issue with the browser and not your network gear.

 

With Internet Exploder open, hit F12.  In that window bring up the Console tab.  From there you can load the dropbox page and it should let you know the errors that are happening on the back end.  It is possible that a JS file is getting blocked that is specific to IE, or in the event of it auto forwarding, that the HTTP 302 is getting lost somewhere due to being decrypted multiple times.

 

One way to test would be to bypass decrpytion on one appliance for that website (or a username if possible), see if it resolves the issue, if not disable decrypt the other appliance, see if that resolves.  If neither of those resolve the issue, disable on both devices and see if the issue resolves itself.  

  • 4497 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!