dropbox - ssl decryption

Announcements
Attention: The LIVEcommunity is experiencing an interruption with videos in some areas. We apologize for any inconvenience this may cause. Thank you for your patience as we work towards a solution to restore videos.
Reply
Highlighted
L4 Transporter

dropbox - ssl decryption

Hey all,

I am using dropbox on my PC and ssl decryption has been enabled on my Palo Alto. I added my PA root cert to my trusted certificates on my computer and am not getting any complains from my browser when surfing to https websites.

However, my dropbox application is complaining that it can not make a secure connection to the internet.

And yes, I have internet connectivity :-)

I've tried creating a custom URL category containing dropbox.com and *.dropbox.com, but this did not resolve the problem.

When checking the monitor, I see some traffic identified as dropbox, but going to random public IP addresses (as expected for a CDN).

I found some post stating that dropbox can not be decrypted, if this is the case, sad but no problem, but how can I exclude it?

Kind regards,

Bob


Accepted Solutions
Highlighted
L5 Sessionator

Re: dropbox - ssl decryption

Hello Bob,

You can use the following command to exclude individual urls.

# set shared ssl-decrypt ssl-exclude-cert <value>

In your case it would be:

# set shared ssl-decrypt ssl-exclude-cert "*.dropbox.com"

# commit

The result will create an exclude rule for a single URL. After adding the exclusion rule you may need to refresh your browser to have it recognize the actual server certificate, as opposed to the self-signed cert from the Palo Alto Networks device.

Verification can be done using the following command:

admin@88-PA-VM# show shared ssl-decrypt

ssl-decrypt {

  ssl-exclude-cert *.dropbox.com;

  trusted-root-CA;

}

Let me know if that helps!

Thanks and regards,

Kunal Adak

View solution in original post


All Replies
Highlighted
L5 Sessionator

Re: dropbox - ssl decryption

Hello Bob,

You can use the following command to exclude individual urls.

# set shared ssl-decrypt ssl-exclude-cert <value>

In your case it would be:

# set shared ssl-decrypt ssl-exclude-cert "*.dropbox.com"

# commit

The result will create an exclude rule for a single URL. After adding the exclusion rule you may need to refresh your browser to have it recognize the actual server certificate, as opposed to the self-signed cert from the Palo Alto Networks device.

Verification can be done using the following command:

admin@88-PA-VM# show shared ssl-decrypt

ssl-decrypt {

  ssl-exclude-cert *.dropbox.com;

  trusted-root-CA;

}

Let me know if that helps!

Thanks and regards,

Kunal Adak

View solution in original post

Highlighted
L4 Transporter

Re: dropbox - ssl decryption

Thanks, I'm able to connect now

Highlighted
L6 Presenter

Re: dropbox - ssl decryption

Note however that this mean that all dropbox traffic will bypass without being inspected nor logged which will introduce a huge security hole in your infrastructure.

If im not mistaken you could use the webclient instead (that is through webbrowser) and having your PA device inspecting the traffic securely (including threats, DLP, logging etc).

Highlighted
L3 Networker

Re: dropbox - ssl decryption

I have the same problem and tried "set shared ssl-decrypt ssl-exclude-cert "*.dropbox.com" "; but, I am still having the issue. It is intermittent, it works fine for most of the time, but once in a while I get the red X and the "Can't establish a secure connection" error.

Highlighted
L0 Member

Re: dropbox - ssl decryption

Is there a way to get the Palo to inspect the traffic and not have the agent break?

 

This is pretty common and leads to having too many excemptions to SSL inspection. 

 

I appreciate that dropbox (and others) basically are preventing this man in the middle, but for an enterprise we need to be able to inspect this traffic?


Has anyone been able to get the dropbox agent/and site to work with the Palo cert?

Ultimately we are going to just allow downloads (so that would probably be ok) and block everything else so it will probably be ok once we remove the whitelist, I just want to test with a smaller group prior to rollout.

 

Thanks,

Highlighted
L7 Applicator

Re: dropbox - ssl decryption

Hi @BrentGunn 

 

Because the dropbox application is doing certificate pinning, there is no way to get this working with decryption enabled. However accessing the dropbox website is working fine with TLS decryption enabled. So if you need to control dropbox traffic the only way is to use the website and not the dropbox application.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!