This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Decryption Breaks Palo Alto Dynamic Updates

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Decryption Breaks Palo Alto Dynamic Updates

Go to solution
pomologist
L3 Networker

‎04-27-2021 09:29 AM

I'm having an issue where my Decryption policy is breaking my Palo Alto Dynamic Updates.  When I turn on decryption, and then attempt to download an Antivirus, Applications and Threats, or Wildfire update, I'm given the message "Invalid content image, Failed to download file". 

 

When I turn decryption off, the updates work perfectly.   This seems odd to me because SSL Decryption Exclusion already has predefined exclusions for these Palo Alto services, such as wildfire, etc. 

 

Otherwise, my decryption policy is working as expected and doing its job.  

 

I'm reading through the PAN OS Admin Guide documentation, as I'm new to PA and this is my first NGF setup.  Any suggestions on how to fix this would be much appreciated!

 

Thanks!

 

Randy

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
pomologist
L3 Networker
In response to OtakarKlier

‎04-28-2021 12:06 PM

I was able to fix the issue using SSL Decryption Exclusions!  The necessary FQDN's to exclude I found here: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CljDCAS

I just copied and added everything listed as per the screenshot attached below.

 

Now downloads work perfectly, with decryption turned on!

 

Thanks everyone for your input!

 

Randy

Screen Shot 2021-04-28 at 12.04.19 PM.png

 

 

View solution in original post

0 Likes Likes
7 REPLIES 7

Go to solution
aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎04-28-2021 12:22 AM - edited ‎04-28-2021 12:23 AM

Hi @pomologist ,

Have you tried to disable "Verify update server identity" under Device > Setup > Services?

I know it is not good idea to disable this, but you can try to see if you disable it for a moment, can you get updates.

In my FW I don't see default decrtyption exception for "updates.paloaltonetworks.com". You can try to add decryption exclusion for this FQDN and enable the verification again. It is possible that you will need to add aditional exceptions, but I am really not sure.

0 Likes Likes

Go to solution
jbworley
L1 Bithead

‎04-28-2021 06:18 AM

With decryption enabled, I would hit the "Check Now" link to refresh the cache.  As @aleksandar.astardzhiev mentioned, you'll need to uncheck the "Verify update server identity" since the firewall uses cert pinning and will throw an "Unknown CA" error once the firewall-signed cert comes in, and usually results in a communcation error.  Really, it's better to just bypass decryption for Palo updates and keep the verify the server box checked.  

 

This problem usually causes a unknown communication error versus the invalid content image error.

0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to jbworley

‎04-28-2021 10:13 AM

Hello,

Some things dont/cant be decrypted without breaking. Put in a no decrypt policy prior to your decrypt one for these updates.

 

OtakarKlier_1-1619629972005.png

Regards,

0 Likes Likes

Go to solution
pomologist
L3 Networker

‎04-28-2021 10:23 AM - edited ‎04-28-2021 10:28 AM

Thanks for your helpful replies!

 

I tried updating to PANOS 10 thinking that could possibly help, but it didn’t change anything. 

 

Good catch, updates.paloaltonetworks.com, was not in the default decryption exclusions list.  I added it, committed, ran a “check now”, and attempted to download latest update, but still error out.  The error I’m getting now is different upon upgrading to PANOS 10, it simply says “Failed to download file”. 

 

I even unchecked “Verify Update Server Identity”, committed, ran a “check now”, and still get the same error as above (!?).

 

The only thing that fixes the issue is if I don’t decrypt my management zone, where I’m using a data port as management interface, with applicable service routes configured.  When that zone is NOT decrypted, updates are fine.  When I decrypt it, updates don’t work. 

 

How do most people handle this? You mentioned its best just to bypass decryption for Palo updates, which is what I want to do.  But the manual says that for sites that break decryption, the proper place to do it is SSL Decryption Exclusion.  Are there any other FQDN's that people are excluding there to make this work?  I could also try a decryption policy exclusion, but manual says that's only for sites you don't want to decrypt, not those which break decryption. Not sure why they make a difference between them. 

0 Likes Likes

Go to solution
pomologist
L3 Networker
In response to OtakarKlier

‎04-28-2021 10:39 AM - edited ‎04-28-2021 10:41 AM

Thanks OtakarKlier, I was thinking about that very thing, only hesitating because my understanding of the manual was the this should be done in SSL Decryption Exclusion (sites the break decryption) rather than a Decryption Policy (sites you don't want to encrypt). I'm too new to understand why they make this distinction.  Or maybe I simply misunderstood their recommendation.

 

Anyway, if the Policy is the way to go, no problem!  Could you post a photo of the rest of the other side of that policy or let me know what settings you use to exclude the PA updates server? I don't see any URL Category/Service.

 

Thanks!

0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to pomologist

‎04-28-2021 10:45 AM

Hello,

What I did was create an object group for all the IP of my PAN's that use any of the service paths, etc. Since I trust the PAN's, the rest of the policy is any/any. You could list just the paloalto update URL's and services, lots of different ways to go about it.

Regards,

0 Likes Likes

Go to solution
pomologist
L3 Networker
In response to OtakarKlier

‎04-28-2021 12:06 PM

I was able to fix the issue using SSL Decryption Exclusions!  The necessary FQDN's to exclude I found here: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CljDCAS

I just copied and added everything listed as per the screenshot attached below.

 

Now downloads work perfectly, with decryption turned on!

 

Thanks everyone for your input!

 

Randy

Screen Shot 2021-04-28 at 12.04.19 PM.png

 

 

0 Likes Likes
  • 1 accepted solution
  • 5479 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks