This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Exclude iTunes/App Store from decryption

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Exclude iTunes/App Store from decryption

carmp3fan
L1 Bithead

‎10-26-2012 09:21 PM

I am using SSL decryption for all outbound traffic. Prior to the decryption rule I have a rule to attempt to exclude iTunes and App Store traffic from decryption.  The rule seems to be working, but the App Store fails with "NSURLErrorDomain error -1012".  When I turn off all decryption the App Store works.

My rule is setup for no-decrypt from any source to the following addresses:

albert.apple.com

ax.init.itunes.apple.com

ax.itunes.com

deimos3.apple.com

gs.apple.com

guzzoni.apple.com

itunes.apple.com

p22-buy.itunes.apple.com

phobos.apple.com

se.itunes.apple.com

su.itunes.apple.com

I have URL filtering enabled, but everything is set to alert instead of block (excluding a few select categories like malware, online gambling, spam, phishing, etc). I also have a generic Trust->Untrust Accept security rule.

Anybody have any ideas how to get this to work without excluding the source address from decryption?

0 Likes Likes
8 REPLIES 8

gswcowboy
L6 Presenter

‎10-26-2012 10:35 PM

based on config info provided, it's working for me. I added a couple of destination addresses though as shown below. Might need a live debug session.

admin@renato(active)> show running decryption-policy

rule1 {

        from L3_Trust;

        source any;

        source-region any;

        to L3_Untrust;

        destination [ 140.174.24.26 140.174.24.35 17.149.240.70 17.151.228.4 17.151.36.30 17.154.66.18 17.154.66.38 184.27.226.217 184.27.227.205 184.27.235.164 80.12.

98.25 80.12.98.27 80.12.98.51 ];

        destination-region any;

        user any;

        category any;

        action no-decrypt;

}

Decrypt {

        from L3_Trust;

        source any;

        source-region any;

        to L3_Untrust;

        destination any;

        destination-region any;

        user any;

        category any;

        action decrypt;

}

admin@renato(active)> show session all filter ssl-decrypt yes source 172.16.20.17

No Active Sessions

admin@renato(active)> show session all filter source 172.16.20.17

--------------------------------------------------------------------------------

ID      Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])

Vsys                                      Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

9658    dns            ACTIVE  FLOW  NS   172.16.20.17[64517]/L3_Trust/17  (public ip [2281])

vsys1                                     4.2.2.2[53]/L3_Untrust  (4.2.2.2[53])

11341   itunes-base    ACTIVE  FLOW  NS   172.16.20.17[49359]/L3_Trust/6  (public ip[5175])

vsys1                                     69.22.148.208[80]/L3_Untrust  (69.22.148.208[80])

11666   dns            ACTIVE  FLOW  NS   172.16.20.17[63454]/L3_Trust/17  (public ip[6765])

vsys1                                     4.2.2.2[53]/L3_Untrust  (4.2.2.2[53])

11652   itunes-base    ACTIVE  FLOW  NS   172.16.20.17[49360]/L3_Trust/6  (public ip[40988])

vsys1                                     69.22.148.208[80]/L3_Untrust  (69.22.148.208[80])

9880    itunes-appstore ACTIVE  FLOW  NS   172.16.20.17[49356]/L3_Trust/6  (public ip[46814])

vsys1                                     69.22.148.203[80]/L3_Untrust  (69.22.148.203[80])

11835   itunes-base    ACTIVE  FLOW  NS   172.16.20.17[49358]/L3_Trust/6  (public ip[45718])

vsys1                                     184.27.226.217[443]/L3_Untrust  (184.27.226.217[443])

12169   itunes-base    ACTIVE  FLOW  NS   172.16.20.17[49357]/L3_Trust/6  (public ip[7797])

vsys1                                     184.27.226.217[443]/L3_Untrust  (184.27.226.217[443])

photo (1).PNG

photo.PNG

mikand
L6 Presenter
In response to gswcowboy

‎10-27-2012 12:06 AM

Cant you just setup a custom category like iTunes_and_App_store containing:

albert.apple.com

ax.init.itunes.apple.com

ax.itunes.com

deimos3.apple.com

gs.apple.com

guzzoni.apple.com

itunes.apple.com

p22-buy.itunes.apple.com

phobos.apple.com

se.itunes.apple.com

su.itunes.apple.com

and then setup your rules like:

rule1 {

        from L3_Trust;

        source any;

        source-region any;

        to L3_Untrust;

        destination any;

        destination-region any;

        user any;

        category iTunes_and_App_store;

        action no-decrypt;

}

 

rule2 {

        from L3_Trust;

        source any;

        source-region any;

        to L3_Untrust;

        destination any;

        destination-region any;

        user any;

        category any;

        action decrypt;

}

0 Likes Likes

carmp3fan
L1 Bithead
In response to mikand

‎10-29-2012 08:16 PM

No success using a custom URL category. Even logically that wouldn't work because the URLs are encrypted and would have to be decrypted it determine the URL. I could be misunderstanding the intricacies of the Palo Alto.

0 Likes Likes

carmp3fan
L1 Bithead
In response to gswcowboy

‎10-29-2012 08:19 PM

Are you able to update an app with your setup?  Even if I can pull up the list of apps to update, I cannot update them.

Apple {

        from any;

        source any;

        source-region any;

        to any;

        destination [ 17.171.27.65 63.235.20.186 63.235.20.195 63.235.20.163 63.235.20.192 63.235.20.170 63.235.20.177 17.171.36.30 17.135.64.4 184.30.2.217 17.154.66.18 17.154.66.38 184.30.2.217 184.30.2.217 ];

        destination-region any;

        user any;

        category any;

        action no-decrypt;

}

"SSL Decryption" {

        from Trust;

        source any;

        source-region any;

        to Untrust;

        destination any;

        destination-region any;

        user any;

        category any;

        action decrypt;

}

0 Likes Likes

mikand
L6 Presenter
In response to carmp3fan

‎10-29-2012 11:35 PM

So one cant use SSL-decryption for itunes and appstore traffic?

Other than that I think the url-filtering will also take a look at the CN part of the cert being used so even if it cannot decrypt the traffic (like the case of windows update) it can still (sort of) figure out the url being used.

0 Likes Likes

carmp3fan
L1 Bithead
In response to gswcowboy

‎11-07-2012 05:52 PM

I have yet to figure out how to get this working. What can I provide you that might help figure this out?

0 Likes Likes

mikand
L6 Presenter
In response to carmp3fan

‎11-07-2012 08:14 PM

A fugly solution might be to setup address objects containing the FQDN's mentioned earlier:

albert.apple.com

ax.init.itunes.apple.com

ax.itunes.com

deimos3.apple.com

gs.apple.com

guzzoni.apple.com

itunes.apple.com

p22-buy.itunes.apple.com

phobos.apple.com

se.itunes.apple.com

su.itunes.apple.com

Tricky part here is how PA handles multiple ip addresses for a particular FQDN but also if the same ip's are handling other domains aswell (which would mean that traffic to/from those wouldnt be decrypted aswell).

When you setup these FQDN's as address objects, meaning create an address object for example named "FQDN_albert.apple.com" which in the field where you normally write the ip you write "albert.apple.com", you can use these as a "dont decrypt" rule.

Then in security rules use the same address objects as dstip along with proper appid (apple-appstore, apple-update, itunes-appstore or which appid's might be identified).

Also combine the above with setting an url filter for *.itunes.com and *.apple.com or preferrely the same list as the FQDN's above (which when decryption is not in action would mean that it at least looks at the CN part of the cert being used).

Or tell your users to updated their apple devices elsewhere 😉

0 Likes Likes

essnet
L4 Transporter
In response to mikand

‎11-08-2012 06:43 AM

Did you try to exclude *.apple.com ?

0 Likes Likes
  • 4546 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks