11-21-2013 03:41 PM
Hey all,
I am using dropbox on my PC and ssl decryption has been enabled on my Palo Alto. I added my PA root cert to my trusted certificates on my computer and am not getting any complains from my browser when surfing to https websites.
However, my dropbox application is complaining that it can not make a secure connection to the internet.
And yes, I have internet connectivity 🙂
I've tried creating a custom URL category containing dropbox.com and *.dropbox.com, but this did not resolve the problem.
When checking the monitor, I see some traffic identified as dropbox, but going to random public IP addresses (as expected for a CDN).
I found some post stating that dropbox can not be decrypted, if this is the case, sad but no problem, but how can I exclude it?
Kind regards,
Bob
11-21-2013 03:51 PM
Hello Bob,
You can use the following command to exclude individual urls.
# set shared ssl-decrypt ssl-exclude-cert <value>
In your case it would be:
# set shared ssl-decrypt ssl-exclude-cert "*.dropbox.com"
# commit
The result will create an exclude rule for a single URL. After adding the exclusion rule you may need to refresh your browser to have it recognize the actual server certificate, as opposed to the self-signed cert from the Palo Alto Networks device.
Verification can be done using the following command:
admin@88-PA-VM# show shared ssl-decrypt
ssl-decrypt {
ssl-exclude-cert *.dropbox.com;
trusted-root-CA;
}
Let me know if that helps!
Thanks and regards,
Kunal Adak
11-21-2013 03:51 PM
Hello Bob,
You can use the following command to exclude individual urls.
# set shared ssl-decrypt ssl-exclude-cert <value>
In your case it would be:
# set shared ssl-decrypt ssl-exclude-cert "*.dropbox.com"
# commit
The result will create an exclude rule for a single URL. After adding the exclusion rule you may need to refresh your browser to have it recognize the actual server certificate, as opposed to the self-signed cert from the Palo Alto Networks device.
Verification can be done using the following command:
admin@88-PA-VM# show shared ssl-decrypt
ssl-decrypt {
ssl-exclude-cert *.dropbox.com;
trusted-root-CA;
}
Let me know if that helps!
Thanks and regards,
Kunal Adak
11-22-2013 06:58 AM
Thanks, I'm able to connect now
12-01-2013 10:15 AM
Note however that this mean that all dropbox traffic will bypass without being inspected nor logged which will introduce a huge security hole in your infrastructure.
If im not mistaken you could use the webclient instead (that is through webbrowser) and having your PA device inspecting the traffic securely (including threats, DLP, logging etc).
09-03-2014 07:36 AM
I have the same problem and tried "set shared ssl-decrypt ssl-exclude-cert "*.dropbox.com" "; but, I am still having the issue. It is intermittent, it works fine for most of the time, but once in a while I get the red X and the "Can't establish a secure connection" error.
12-31-2019 11:20 AM
Is there a way to get the Palo to inspect the traffic and not have the agent break?
This is pretty common and leads to having too many excemptions to SSL inspection.
I appreciate that dropbox (and others) basically are preventing this man in the middle, but for an enterprise we need to be able to inspect this traffic?
Has anyone been able to get the dropbox agent/and site to work with the Palo cert?
Ultimately we are going to just allow downloads (so that would probably be ok) and block everything else so it will probably be ok once we remove the whitelist, I just want to test with a smaller group prior to rollout.
Thanks,
12-31-2019 11:43 AM
Hi @BrentGunn
Because the dropbox application is doing certificate pinning, there is no way to get this working with decryption enabled. However accessing the dropbox website is working fine with TLS decryption enabled. So if you need to control dropbox traffic the only way is to use the website and not the dropbox application.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
