07-01-2014 04:05 AM
I am running PanOS 6.0.3. I have a decryption rule that perfectly works most of the time. However I realized that in some specific situation it silently blocks the traffic. As I am quite new on Palo Alto, I do not know if I am misunderstanding something or if I found a bug.
Here follows the exact description:
1) Global rule decryption all traffic going to internet: working perfectly as shown by cli or in the traffic log
2) if I try to use the snapchat application on android, the app does not work and failed with a 'connection error'. Removing the decryption rule, make it working
3) Same issue using dropbox application on an iPad. It should be noted that accessing the dropbox website works with the decryption.
Starting from there, I can only imagine that either
- the version of TLS protocol used is not supported by PANOS 6.0.3, but how to confirm this?
- there is a bug in the PANOS 6.0.3
- the certificates shown for the decryption (created by the firewall) are rejected for some reason by the application, but how to confirm this.
As a temporary solution, I created a custom URL category with the IP address of the snapchat website (not tested on dropbox). I than use this URL category in a no decrypt rule.This avoid the issue (but remove the benefit of the decryption). It is not perfect as sometimes I need to restart several times the app before the traffic is identified in the correct URL category.
Although, this is affecting dropbox and snapchat, I am quite afradi to find more business applications affected by the same issue.
Your thoughts will be greatly appreciated.
Michel
07-01-2014 07:38 AM
Hello Michael.
Issue can be resolved with decryption profile, however there might be other ways to do it.
Its possible to configure decryption profile with various option. one of them is if firewall is not able to decrypt traffic than it can pass it encrypted.
Regards,
Hardik Shah
07-01-2014 10:01 AM
Hi,
As you know many application are not able to be decrypted by the palo (and globally).
Please refer to https://live.paloaltonetworks.com/message/27941#27941
Seem this list is not really .... complete
Hope help
V.
07-02-2014 01:10 AM
Thanks to both of you.
Michel
07-02-2014 02:29 AM
Hello Michel,
There are some applications that do not play nice when decryption is turned on, on the PA firewall. Here is a document with a list of the applications we've already identified that should be excluded from decryption: List of Applications Excluded from SSL Decryption
Thanks
07-02-2014 02:48 AM
Hello Hulk,
I did already found that list thanks to the links inside the previous posts. It just makes me a little bit more confused. E;g. ms-update is considered as having issues...I do not have any with that applications. Is it due to the 6.0.3 version? given the fact that 6.0.3 is supporting more recent TLS version. It could be...
Michel
07-02-2014 02:57 AM
Hello Michel,
A packet capture would give you more insight about the SSL handshake.
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
