10-24-2012 04:27 AM
Hi Guys,
I have had an issue arise that seems to be related to Dropbox using Amazon's S3 storage. We have had need to allow certain users access to dropbox to upload files to clients and between sites with slow connections. And in the beginning I created a rule that allowed access using dropbox and SSL to the Dropbox Netrange they use. Which was fine, but now some of the users want to use the Dropbox application which is causing some problems. I have tried creating a no-decrypt rule for those users to just the Dropbox netrange, but as it tries to synchronise it's file with Amazon's servers it is unable to do so.
I know it is the decryption that is causing a problem as it complains about not being able to make a secure connection and as a test I enabled 1 computer to have a no-decrypt rule for all traffic and it then works fine.
So my question is. Are there any other people having this same problem with Dropbox? And if not then how do you get around this? Is there a server range for Amazon S3 that you know of that I can put in, or is there some way to set a no-decrypt rule just for this traffic?
I know there are problems with PA recognising the signature for Dropbox as it is dynamic and recognises it at SSL, but if I had a server netrange to limit it to then I wouldn't mind it as much just allowing all SSL traffic from those peoples computers to a specific range.
10-28-2012 12:23 AM
I'm not shure in which version they have changed it but *.dropbox has been in the exclude list for SSL decryption. They tooked that out recently, so you have to bring it back in the exclude list in order to get the dropbox client running when using ssl decryption:
set shared ssl-decrypt ssl-exclude-cert "*.dropbox.com" |
I send a feature request to Dropbox to either
Support has replied that they'll forward to development.
10-24-2012 09:10 AM
Hi James
I stumbled over this a while ago as well.
The problem is that the client - while using standard http/https - keeps it's own certificate database, i.e. not using the system wide one where you might have the forward-trust ca installed.
That's why it fails to connect when using the client, but works fine when using the browser.
There is no official and always updated list of IP addresses from dropbox. There are some in the JAVA source code (here: https://bitbucket.org/dkocher/dropbox-client-java/src/100b8c7d183b/src/main/java/com/dropbox/client ...
but it seems that his is quite old.
The easiest way would be:
make a feature request at dropbox so they either use the system wide certificate store or aloo us to add CAs
or
make a feature request at PAN to develop a special app for the client : http://www.paloaltonetworks.com/researchcenter/tools/
If you find another way, please let us know
Andre
10-25-2012 02:02 AM
Hi Andre,
Thanks for that info. Although strangely I have only noticed this issue since updating to 4.1.8 on my PA box. I actually did have 2 users who were up til recently using the dropbox application without any issues. It is only since upgrading to 4.1.8 from 4.1.6 that we have noticed this issue.
Is there anything in the update that anyone knows about that would affect this?
Or is it more a case of it is changes on Dropbox's side of things that has caused the problem with the PA boxes?
10-28-2012 12:23 AM
I'm not shure in which version they have changed it but *.dropbox has been in the exclude list for SSL decryption. They tooked that out recently, so you have to bring it back in the exclude list in order to get the dropbox client running when using ssl decryption:
set shared ssl-decrypt ssl-exclude-cert "*.dropbox.com" |
I send a feature request to Dropbox to either
Support has replied that they'll forward to development.
10-28-2012 11:29 AM
By the way how is that "ssl-exclude-cert" handled when you set a decryption rule to always decrypt everything (and block stuff that cannot be decrypted)?
I strongly dislike equipment doing something hidden which isnt visible in the ruleset.
10-28-2012 03:05 PM
Good question. I believe that list has priority over whatever you configure.
mikand wrote:
By the way how is that "ssl-exclude-cert" handled when you set a decryption rule to always decrypt everything (and block stuff that cannot be decrypted)?
I strongly dislike equipment doing something hidden which isnt visible in the ruleset.
I totally agree with you, but then even worse thign is that it seems to be impossible to get a list of those "excluded by default" list. Even if you add something, the config only shows what you have added, not what's in the list by default.
If found the following list but it's quite old (as of 2010) and PaloAlto seems to not publish a new one.
---cut---
<entry name="kdc.uas.aol.com"/> <!--aim-->
<entry name="bos.oscar.aol.com"/> <!--aim-->
<entry name="*.agni.lindenlab.com"/> <!--second life-->
<entry name="*.vedivi.com"/> <!--wallcooler-->
<entry name="update.microsoft.com"/> <!--microsoft update-->
<entry name="www.update.microsoft.com"/> <!--microsoft update-->
<entry name="Yuuguu.com"/> <!--yuguu-->
<entry name="yuuguu.com"/> <!--yuguu-->
<entry name="*.PacketiX VPN"/><!--packetix-->
<entry name="*.SoftEther VPN"/><!--packetix-->
<entry name="*.softether.com"/><!--packetix-->
<entry name="neptune.tpncs.simplifymedia.net"/> <!--simplify media-->
<entry name="nemesis.tpncs.simplifymedia.net"/> <!--simplify media-->
<entry name="nike.tpncs.simplifymedia.net"/> <!--simplify media-->
<entry name="nyx.tpncs.simplifymedia.net"/> <!--simplify media-->
<entry name="tpnxmpp.simplifymedia.net"/> <!--simplify media-->
<entry name="*.table14.fr"/> <!--winamax-->
<entry name="*.gotomeeting.com"/> <!--gotomeeting-->
<entry name="www1.gotomeeting.com"/> <!--gotomeeting-->
<entry name="www2.gotomeeting.com"/> <!--gotomeeting-->
<entry name="www3.gotomeeting.com"/> <!--gotomeeting-->
<entry name="www4.gotomeeting.com"/> <!--gotomeeting-->
<entry name="mcs1las.live.citrixonline.com"/> <!--gotomeeting-->
<entry name="mcs1sjc.live.citrixonline.com"/> <!--gotomeeting-->
<entry name="*.mozilla.org"/> <!--mozilla-->
<entry name="*.addons.mozilla.org"/> <!--mozilla-->
<entry name="lr.live.net"/> <!--live-mesh-->
<entry name="anywhere2.telus.com"/> <!--call anywhere-->
<entry name="accounts.mesh.com"/> <!--live-mesh-->
<entry name="storage.mesh.com"/> <!--live-mesh-->
<entry name="*.sharpcast.com"/> <!--sugarsync-->
<entry name="auth2.triongames.com"/> <!--rift-->
<entry name="*.zumodrive.com"/> <!--zubodrive--> </ssl-exclude-cert>
--- cut ----
Andre
10-28-2012 03:09 PM
A current list seems to exist at
https://live.paloaltonetworks.com/docs/DOC-1423 and was last updated 29th may 2012.
10-28-2012 03:16 PM
Just checked and it's the same, maybe it was my mistake, I haven't seen that it has been updated, I just tooked the creation date which is 2010.
10-30-2012 04:34 AM
Thanks for the input there guys.
Great tip there on adding the *.dropbox.com back to the exclude list there Andre. I think that might have sorted us. In fact I have just checked a few users pc's and the application is not only making the connection but synchronizing quite happily.
In total agreement with both of you, hate it when company's include "features" on their products but then neglect to tell you where to change them or allow you to view them.
07-08-2013 06:19 AM
Little question for my understanding regarding the following CLI command:
set shared ssl-decrypt ssl-exclude-cert "*.dropbox.com"
How will the PA firewall make use of the URL "*.dropbox.com" in this case?Will it
- examine the SSL certificates presented by the servers (e.g. Dropbox server sends an SSL server cert with "server01.dropbox.com" in the Subject or SAN field)?
- will the PA do a reverse lookup on the IP address and check the RDNS returned for a match?
- will it examine the HTTP GET command sent by the client? In that case the faked cert has already been presented to the client...
07-08-2013 11:21 PM
Since the SSL is not decrypted the PA cannot investigate the HTTP GET command and as far as I know the PA never performs RDNS to verify servers (only CRL/OCSP checks of the cert is performed if you have this enabled).
Which gives if you run this exclude-cert thingy then PA will look at the (I think it was) CN part of the cert and if that matches your exclude-list then the traffic will not be terminated/inspected.
07-09-2013 12:00 AM
Thank you for the clarification.
So far we had a Decryption Policy set for Dropbox. Now that we tripped over that handy CLI command, am I correct that Decryption Policy is of no use now and we can delete it?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
