Decryption rule blocking traffic silently

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Decryption rule blocking traffic silently

L1 Bithead

I am running PanOS 6.0.3. I have a decryption rule that perfectly works most of the time. However I realized that in some specific situation it silently blocks the traffic. As I am quite new on Palo Alto, I do not know if I am misunderstanding something or if I found a bug.

Here follows the exact description:

1) Global rule decryption all traffic going to internet: working perfectly as shown by cli or in the traffic log

2) if I try to use the snapchat application on android, the app does not work and failed with a 'connection error'. Removing the decryption rule, make it working

3) Same issue using dropbox application on an iPad. It should be noted that accessing the dropbox website works with the decryption.

Starting from there, I can only imagine that either

- the version of TLS protocol used is not supported by PANOS 6.0.3, but how to confirm this?

- there is a bug in the PANOS 6.0.3

- the certificates shown for the decryption (created by the firewall) are rejected for some reason by the application, but how to confirm this.

As a temporary solution, I created a custom URL category with the IP address of the snapchat website (not tested on dropbox). I than use this URL category in a no decrypt rule.This avoid the issue (but remove the benefit of the decryption). It is not perfect as sometimes I need to restart several times the app before the traffic is identified in the correct URL category.

Although, this is affecting dropbox and snapchat, I am quite afradi to find more business applications affected by the same issue.

Your thoughts will be greatly appreciated.

Michel

6 REPLIES 6

L6 Presenter

Hello Michael.

Issue can be resolved with decryption profile, however there might be other ways to do it.

Its possible to configure decryption profile with various option. one of them is if firewall is not able to decrypt traffic than it can pass it encrypted.

Regards,

Hardik Shah

L5 Sessionator

Hi,

As you know many application are not able to be decrypted by the palo (and globally).

Please refer to https://live.paloaltonetworks.com/message/27941#27941

Seem this list is not really .... complete

Hope help

V.

L1 Bithead

Thanks to both of you.

Michel

Hello Michel,

There are some applications that do not play nice when decryption is turned on, on the PA firewall. Here is a document with a list of the applications we've already identified that should be excluded from decryption: List of Applications Excluded from SSL Decryption

Thanks

L1 Bithead

Hello Hulk,

I did already found that list thanks to the links inside the previous posts. It just makes me a little bit more confused. E;g. ms-update is considered as having issues...I do not have any with that applications. Is it due to the 6.0.3 version? given the fact that 6.0.3 is supporting more recent TLS version. It could be...

Michel

Hello Michel,

A packet capture would give you more insight about the SSL handshake.

Thanks

  • 3616 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!