Decryption Breaks Palo Alto Dynamic Updates

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Decryption Breaks Palo Alto Dynamic Updates

L3 Networker

I'm having an issue where my Decryption policy is breaking my Palo Alto Dynamic Updates.  When I turn on decryption, and then attempt to download an Antivirus, Applications and Threats, or Wildfire update, I'm given the message "Invalid content image, Failed to download file". 

 

When I turn decryption off, the updates work perfectly.   This seems odd to me because SSL Decryption Exclusion already has predefined exclusions for these Palo Alto services, such as wildfire, etc. 

 

Otherwise, my decryption policy is working as expected and doing its job.  

 

I'm reading through the PAN OS Admin Guide documentation, as I'm new to PA and this is my first NGF setup.  Any suggestions on how to fix this would be much appreciated!

 

Thanks!

 

Randy

1 accepted solution

Accepted Solutions

I was able to fix the issue using SSL Decryption Exclusions!  The necessary FQDN's to exclude I found here: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CljDCAS

I just copied and added everything listed as per the screenshot attached below.

 

Now downloads work perfectly, with decryption turned on!

 

Thanks everyone for your input!

 

Randy

Screen Shot 2021-04-28 at 12.04.19 PM.png

 

 

View solution in original post

7 REPLIES 7

Hi @pomologist ,

Have you tried to disable "Verify update server identity" under Device > Setup > Services?

I know it is not good idea to disable this, but you can try to see if you disable it for a moment, can you get updates.

In my FW I don't see default decrtyption exception for "updates.paloaltonetworks.com". You can try to add decryption exclusion for this FQDN and enable the verification again. It is possible that you will need to add aditional exceptions, but I am really not sure.

L1 Bithead

With decryption enabled, I would hit the "Check Now" link to refresh the cache.  As @aleksandar.astardzhiev mentioned, you'll need to uncheck the "Verify update server identity" since the firewall uses cert pinning and will throw an "Unknown CA" error once the firewall-signed cert comes in, and usually results in a communcation error.  Really, it's better to just bypass decryption for Palo updates and keep the verify the server box checked.  

 

This problem usually causes a unknown communication error versus the invalid content image error.

Hello,

Some things dont/cant be decrypted without breaking. Put in a no decrypt policy prior to your decrypt one for these updates.

 

OtakarKlier_1-1619629972005.png

Regards,

L3 Networker

Thanks for your helpful replies!

 

I tried updating to PANOS 10 thinking that could possibly help, but it didn’t change anything. 

 

Good catch, updates.paloaltonetworks.com, was not in the default decryption exclusions list.  I added it, committed, ran a “check now”, and attempted to download latest update, but still error out.  The error I’m getting now is different upon upgrading to PANOS 10, it simply says “Failed to download file”. 

 

I even unchecked “Verify Update Server Identity”, committed, ran a “check now”, and still get the same error as above (!?).

 

The only thing that fixes the issue is if I don’t decrypt my management zone, where I’m using a data port as management interface, with applicable service routes configured.  When that zone is NOT decrypted, updates are fine.  When I decrypt it, updates don’t work. 

 

How do most people handle this? You mentioned its best just to bypass decryption for Palo updates, which is what I want to do.  But the manual says that for sites that break decryption, the proper place to do it is SSL Decryption Exclusion.  Are there any other FQDN's that people are excluding there to make this work?  I could also try a decryption policy exclusion, but manual says that's only for sites you don't want to decrypt, not those which break decryption. Not sure why they make a difference between them. 

Thanks OtakarKlier, I was thinking about that very thing, only hesitating because my understanding of the manual was the this should be done in SSL Decryption Exclusion (sites the break decryption) rather than a Decryption Policy (sites you don't want to encrypt). I'm too new to understand why they make this distinction.  Or maybe I simply misunderstood their recommendation.

 

Anyway, if the Policy is the way to go, no problem!  Could you post a photo of the rest of the other side of that policy or let me know what settings you use to exclude the PA updates server? I don't see any URL Category/Service.

 

Thanks!

Hello,

What I did was create an object group for all the IP of my PAN's that use any of the service paths, etc. Since I trust the PAN's, the rest of the policy is any/any. You could list just the paloalto update URL's and services, lots of different ways to go about it.

Regards,

I was able to fix the issue using SSL Decryption Exclusions!  The necessary FQDN's to exclude I found here: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CljDCAS

I just copied and added everything listed as per the screenshot attached below.

 

Now downloads work perfectly, with decryption turned on!

 

Thanks everyone for your input!

 

Randy

Screen Shot 2021-04-28 at 12.04.19 PM.png

 

 

  • 1 accepted solution
  • 5495 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!