Exclude iTunes/App Store from decryption

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Exclude iTunes/App Store from decryption

L1 Bithead

I am using SSL decryption for all outbound traffic. Prior to the decryption rule I have a rule to attempt to exclude iTunes and App Store traffic from decryption.  The rule seems to be working, but the App Store fails with "NSURLErrorDomain error -1012".  When I turn off all decryption the App Store works.

My rule is setup for no-decrypt from any source to the following addresses:

albert.apple.com

ax.init.itunes.apple.com

ax.itunes.com

deimos3.apple.com

gs.apple.com

guzzoni.apple.com

itunes.apple.com

p22-buy.itunes.apple.com

phobos.apple.com

se.itunes.apple.com

su.itunes.apple.com

I have URL filtering enabled, but everything is set to alert instead of block (excluding a few select categories like malware, online gambling, spam, phishing, etc). I also have a generic Trust->Untrust Accept security rule.

Anybody have any ideas how to get this to work without excluding the source address from decryption?

8 REPLIES 8

L6 Presenter

based on config info provided, it's working for me. I added a couple of destination addresses though as shown below. Might need a live debug session.

admin@renato(active)> show running decryption-policy

rule1 {

        from L3_Trust;

        source any;

        source-region any;

        to L3_Untrust;

        destination [ 140.174.24.26 140.174.24.35 17.149.240.70 17.151.228.4 17.151.36.30 17.154.66.18 17.154.66.38 184.27.226.217 184.27.227.205 184.27.235.164 80.12.

98.25 80.12.98.27 80.12.98.51 ];

        destination-region any;

        user any;

        category any;

        action no-decrypt;

}

Decrypt {

        from L3_Trust;

        source any;

        source-region any;

        to L3_Untrust;

        destination any;

        destination-region any;

        user any;

        category any;

        action decrypt;

}

admin@renato(active)> show session all filter ssl-decrypt yes source 172.16.20.17

No Active Sessions

admin@renato(active)> show session all filter source 172.16.20.17

--------------------------------------------------------------------------------

ID      Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])

Vsys                                      Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

9658    dns            ACTIVE  FLOW  NS   172.16.20.17[64517]/L3_Trust/17  (public ip [2281])

vsys1                                     4.2.2.2[53]/L3_Untrust  (4.2.2.2[53])

11341   itunes-base    ACTIVE  FLOW  NS   172.16.20.17[49359]/L3_Trust/6  (public ip[5175])

vsys1                                     69.22.148.208[80]/L3_Untrust  (69.22.148.208[80])

11666   dns            ACTIVE  FLOW  NS   172.16.20.17[63454]/L3_Trust/17  (public ip[6765])

vsys1                                     4.2.2.2[53]/L3_Untrust  (4.2.2.2[53])

11652   itunes-base    ACTIVE  FLOW  NS   172.16.20.17[49360]/L3_Trust/6  (public ip[40988])

vsys1                                     69.22.148.208[80]/L3_Untrust  (69.22.148.208[80])

9880    itunes-appstore ACTIVE  FLOW  NS   172.16.20.17[49356]/L3_Trust/6  (public ip[46814])

vsys1                                     69.22.148.203[80]/L3_Untrust  (69.22.148.203[80])

11835   itunes-base    ACTIVE  FLOW  NS   172.16.20.17[49358]/L3_Trust/6  (public ip[45718])

vsys1                                     184.27.226.217[443]/L3_Untrust  (184.27.226.217[443])

12169   itunes-base    ACTIVE  FLOW  NS   172.16.20.17[49357]/L3_Trust/6  (public ip[7797])

vsys1                                     184.27.226.217[443]/L3_Untrust  (184.27.226.217[443])

photo (1).PNG

photo.PNG

Cant you just setup a custom category like iTunes_and_App_store containing:

albert.apple.com

ax.init.itunes.apple.com

ax.itunes.com

deimos3.apple.com

gs.apple.com

guzzoni.apple.com

itunes.apple.com

p22-buy.itunes.apple.com

phobos.apple.com

se.itunes.apple.com

su.itunes.apple.com

and then setup your rules like:

rule1 {

        from L3_Trust;

        source any;

        source-region any;

        to L3_Untrust;

        destination any;

        destination-region any;

        user any;

        category iTunes_and_App_store;

        action no-decrypt;

}

 

rule2 {

        from L3_Trust;

        source any;

        source-region any;

        to L3_Untrust;

        destination any;

        destination-region any;

        user any;

        category any;

        action decrypt;

}

No success using a custom URL category. Even logically that wouldn't work because the URLs are encrypted and would have to be decrypted it determine the URL. I could be misunderstanding the intricacies of the Palo Alto.

Are you able to update an app with your setup?  Even if I can pull up the list of apps to update, I cannot update them.

Apple {

        from any;

        source any;

        source-region any;

        to any;

        destination [ 17.171.27.65 63.235.20.186 63.235.20.195 63.235.20.163 63.235.20.192 63.235.20.170 63.235.20.177 17.171.36.30 17.135.64.4 184.30.2.217 17.154.66.18 17.154.66.38 184.30.2.217 184.30.2.217 ];

        destination-region any;

        user any;

        category any;

        action no-decrypt;

}

"SSL Decryption" {

        from Trust;

        source any;

        source-region any;

        to Untrust;

        destination any;

        destination-region any;

        user any;

        category any;

        action decrypt;

}

So one cant use SSL-decryption for itunes and appstore traffic?

Other than that I think the url-filtering will also take a look at the CN part of the cert being used so even if it cannot decrypt the traffic (like the case of windows update) it can still (sort of) figure out the url being used.

I have yet to figure out how to get this working. What can I provide you that might help figure this out?

A fugly solution might be to setup address objects containing the FQDN's mentioned earlier:

albert.apple.com

ax.init.itunes.apple.com

ax.itunes.com

deimos3.apple.com

gs.apple.com

guzzoni.apple.com

itunes.apple.com

p22-buy.itunes.apple.com

phobos.apple.com

se.itunes.apple.com

su.itunes.apple.com

Tricky part here is how PA handles multiple ip addresses for a particular FQDN but also if the same ip's are handling other domains aswell (which would mean that traffic to/from those wouldnt be decrypted aswell).

When you setup these FQDN's as address objects, meaning create an address object for example named "FQDN_albert.apple.com" which in the field where you normally write the ip you write "albert.apple.com", you can use these as a "dont decrypt" rule.

Then in security rules use the same address objects as dstip along with proper appid (apple-appstore, apple-update, itunes-appstore or which appid's might be identified).

Also combine the above with setting an url filter for *.itunes.com and *.apple.com or preferrely the same list as the FQDN's above (which when decryption is not in action would mean that it at least looks at the CN part of the cert being used).

Or tell your users to updated their apple devices elsewhere 😉

Did you try to exclude *.apple.com ?

  • 3940 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!