- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-26-2012 09:21 PM
I am using SSL decryption for all outbound traffic. Prior to the decryption rule I have a rule to attempt to exclude iTunes and App Store traffic from decryption. The rule seems to be working, but the App Store fails with "NSURLErrorDomain error -1012". When I turn off all decryption the App Store works.
My rule is setup for no-decrypt from any source to the following addresses:
albert.apple.com
ax.init.itunes.apple.com
ax.itunes.com
deimos3.apple.com
gs.apple.com
guzzoni.apple.com
itunes.apple.com
p22-buy.itunes.apple.com
phobos.apple.com
se.itunes.apple.com
su.itunes.apple.com
I have URL filtering enabled, but everything is set to alert instead of block (excluding a few select categories like malware, online gambling, spam, phishing, etc). I also have a generic Trust->Untrust Accept security rule.
Anybody have any ideas how to get this to work without excluding the source address from decryption?
10-26-2012 10:35 PM
based on config info provided, it's working for me. I added a couple of destination addresses though as shown below. Might need a live debug session.
admin@renato(active)> show running decryption-policy
rule1 {
from L3_Trust;
source any;
source-region any;
to L3_Untrust;
destination [ 140.174.24.26 140.174.24.35 17.149.240.70 17.151.228.4 17.151.36.30 17.154.66.18 17.154.66.38 184.27.226.217 184.27.227.205 184.27.235.164 80.12.
98.25 80.12.98.27 80.12.98.51 ];
destination-region any;
user any;
category any;
action no-decrypt;
}
Decrypt {
from L3_Trust;
source any;
source-region any;
to L3_Untrust;
destination any;
destination-region any;
user any;
category any;
action decrypt;
}
admin@renato(active)> show session all filter ssl-decrypt yes source 172.16.20.17
No Active Sessions
admin@renato(active)> show session all filter source 172.16.20.17
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
9658 dns ACTIVE FLOW NS 172.16.20.17[64517]/L3_Trust/17 (public ip [2281])
vsys1 4.2.2.2[53]/L3_Untrust (4.2.2.2[53])
11341 itunes-base ACTIVE FLOW NS 172.16.20.17[49359]/L3_Trust/6 (public ip[5175])
vsys1 69.22.148.208[80]/L3_Untrust (69.22.148.208[80])
11666 dns ACTIVE FLOW NS 172.16.20.17[63454]/L3_Trust/17 (public ip[6765])
vsys1 4.2.2.2[53]/L3_Untrust (4.2.2.2[53])
11652 itunes-base ACTIVE FLOW NS 172.16.20.17[49360]/L3_Trust/6 (public ip[40988])
vsys1 69.22.148.208[80]/L3_Untrust (69.22.148.208[80])
9880 itunes-appstore ACTIVE FLOW NS 172.16.20.17[49356]/L3_Trust/6 (public ip[46814])
vsys1 69.22.148.203[80]/L3_Untrust (69.22.148.203[80])
11835 itunes-base ACTIVE FLOW NS 172.16.20.17[49358]/L3_Trust/6 (public ip[45718])
vsys1 184.27.226.217[443]/L3_Untrust (184.27.226.217[443])
12169 itunes-base ACTIVE FLOW NS 172.16.20.17[49357]/L3_Trust/6 (public ip[7797])
vsys1 184.27.226.217[443]/L3_Untrust (184.27.226.217[443])
10-27-2012 12:06 AM
Cant you just setup a custom category like iTunes_and_App_store containing:
albert.apple.com
ax.init.itunes.apple.com
ax.itunes.com
deimos3.apple.com
gs.apple.com
guzzoni.apple.com
itunes.apple.com
p22-buy.itunes.apple.com
phobos.apple.com
se.itunes.apple.com
su.itunes.apple.com
and then setup your rules like:
rule1 {
from L3_Trust;
source any;
source-region any;
to L3_Untrust;
destination any;
destination-region any;
user any;
category iTunes_and_App_store;
action no-decrypt;
}
rule2 {
from L3_Trust;
source any;
source-region any;
to L3_Untrust;
destination any;
destination-region any;
user any;
category any;
action decrypt;
}
10-29-2012 08:16 PM
No success using a custom URL category. Even logically that wouldn't work because the URLs are encrypted and would have to be decrypted it determine the URL. I could be misunderstanding the intricacies of the Palo Alto.
10-29-2012 08:19 PM
Are you able to update an app with your setup? Even if I can pull up the list of apps to update, I cannot update them.
Apple {
from any;
source any;
source-region any;
to any;
destination [ 17.171.27.65 63.235.20.186 63.235.20.195 63.235.20.163 63.235.20.192 63.235.20.170 63.235.20.177 17.171.36.30 17.135.64.4 184.30.2.217 17.154.66.18 17.154.66.38 184.30.2.217 184.30.2.217 ];
destination-region any;
user any;
category any;
action no-decrypt;
}
"SSL Decryption" {
from Trust;
source any;
source-region any;
to Untrust;
destination any;
destination-region any;
user any;
category any;
action decrypt;
}
10-29-2012 11:35 PM
So one cant use SSL-decryption for itunes and appstore traffic?
Other than that I think the url-filtering will also take a look at the CN part of the cert being used so even if it cannot decrypt the traffic (like the case of windows update) it can still (sort of) figure out the url being used.
11-07-2012 05:52 PM
I have yet to figure out how to get this working. What can I provide you that might help figure this out?
11-07-2012 08:14 PM
A fugly solution might be to setup address objects containing the FQDN's mentioned earlier:
albert.apple.com
ax.init.itunes.apple.com
ax.itunes.com
deimos3.apple.com
gs.apple.com
guzzoni.apple.com
itunes.apple.com
p22-buy.itunes.apple.com
phobos.apple.com
se.itunes.apple.com
su.itunes.apple.com
Tricky part here is how PA handles multiple ip addresses for a particular FQDN but also if the same ip's are handling other domains aswell (which would mean that traffic to/from those wouldnt be decrypted aswell).
When you setup these FQDN's as address objects, meaning create an address object for example named "FQDN_albert.apple.com" which in the field where you normally write the ip you write "albert.apple.com", you can use these as a "dont decrypt" rule.
Then in security rules use the same address objects as dstip along with proper appid (apple-appstore, apple-update, itunes-appstore or which appid's might be identified).
Also combine the above with setting an url filter for *.itunes.com and *.apple.com or preferrely the same list as the FQDN's above (which when decryption is not in action would mean that it at least looks at the CN part of the cert being used).
Or tell your users to updated their apple devices elsewhere 😉
11-08-2012 06:43 AM
Did you try to exclude *.apple.com ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!