This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Exclude www.google.* from decryption

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exclude www.google.* from decryption

Hithead
L4 Transporter

‎03-26-2013 02:16 AM

Hello,

are you able to exculde https://www.google.com ; https://www.google.de and other domains from SSL decryption?

Or clients complain about the slow loading of the website when they open Google or try to search something.

Currently i add in a white custom URL category:

www.google.com

www.google.com/

www.google.com/*

www.google.*

www.google.*/

www.google.*/*

and still the PA decrypt the traffic. If i try the policy from our location in US, it works (www.google.com). But if i try it from Germany - or other locations - the white list don't take affect.

Do you also have a slow loading of www.google.* if you enable ssl decyption?

Labels:
0 Likes Likes
16 REPLIES 16

mikand
L6 Presenter

‎03-26-2013 12:56 PM

If Im not mistaken you are supposed to use the stuff mentioned in the CN part of the cert being used at the server. Thats the only way PA can identify which site you are trying to reach when using HTTPS without actually decrypt anything.

Also it sounds strange that only google would be "slow".

Which hardware and panos do you use?

I know that PA-2000 series uses mgmtplane to generate the mitm-certs on the fly so in case mgmtplane is at 100% cpu then generating these mitm-certs would take an additional second(s) to complete and the client would experience this as a "slow" connection. However once terminated (since these certs I belienve are being cached) the speed should be good.

Other things to look into is how many bits the CA-cert is using (which will affect the time it takes to generate the mitm-cert on the fly).

0 Likes Likes

Hithead
L4 Transporter
In response to mikand

‎03-27-2013 05:57 AM

Hi,

the thing is: www.google.(whatever) loads slow. Some second delay. Also when established once a connection (Google open in your browser and search again something).

And yes, we are using the "powerful" and "stable" PA2000 series......with 5.0.3.....In the last versions the problem was also available....

Checked the bits: With/Without Decryption - www.google.de - 1024         

Checked also hotmail.com: With Decryption: 1024 Without: 2048

(btw we using PA generated certificate for the ssl-decryption)

Whatever, i though to exclude the URL www.google.* as a workaround. But with my entries in the URL whitelist the PA still decrypt the session...?!

0 Likes Likes

ewilen
Not applicable

‎04-25-2013 01:26 PM

Possibly this document will help:

What I take away from it is that if you want to exclude a site from decryption, you need to create a custom URL category that lists that site by ip address (page 3) not by name.

0 Likes Likes

Hithead
L4 Transporter
In response to ewilen

‎04-26-2013 01:56 AM

I know its possible to exclude websites from decryption by adding the IP address....But i don't want to use IP address. Really need to exculde the URL www.google.* ...

0 Likes Likes

ewilen
Not applicable
In response to Hithead

‎04-26-2013 09:55 AM

I understand--I'm dealing with a similar issue myself. I'm working with support, and if I can get a config working I'll update this thread.

0 Likes Likes

Hithead
L4 Transporter
In response to ewilen

‎05-06-2013 12:49 AM

Thanks. Will be helpful!

0 Likes Likes

oneidanation
Not applicable

‎06-03-2013 10:32 AM

You can exclude URLs by creating a Custom URL Category and add the sites into that URL Category then use the custom URL Category in your do not decrypt rule.

0 Likes Likes

Hithead
L4 Transporter
In response to oneidanation

‎06-04-2013 05:14 AM

yes, i know...

thats my problem in this thread....its not possible.

0 Likes Likes

goku123
L7 Applicator

‎06-04-2013 06:14 AM

Hi,

You could try to import cert used by google on the german site onto the PA device and then select the usage as "SSL Exclude Certificate" & see if you could prevent it from being decrypted.

capture2.PNG

0 Likes Likes

Hithead
L4 Transporter
In response to goku123

‎06-06-2013 04:36 AM

Hi,

no it doesn't work. Whatever, our clients become accustomed to wait few seconds.

0 Likes Likes

ericgearhart
L4 Transporter
In response to Hithead

‎06-06-2013 04:41 AM 

Hithead wrote:




And yes, we are using the "powerful" and "stable" PA2000 series......with 5.0.3.....In the last versions the problem was also available....

I hope you're being sarcastic here Smiley Happy The PA2000 series is neither powerful nor stable in my experience

0 Likes Likes

Hithead
L4 Transporter
In response to ericgearhart

‎06-06-2013 04:56 AM 

egearhart wrote:






Hithead wrote:




And yes, we are using the "powerful" and "stable" PA2000 series......with 5.0.3.....In the last versions the problem was also available....








I hope you're being sarcastic here  The PA2000 series is neither powerful nor stable in my experience

:smileylaugh: yes. Also had and have bad experience with the PA2000 series...

But however, the software should be able to exclude http://www.google.(de, com, nl, com.mx,... etc.) from the ssl decryption.

0 Likes Likes

mr.linus
L4 Transporter
In response to Hithead

‎06-06-2013 05:54 AM

I was able to get this to work, but only with a custom category including:

*.google.*

*.google.*/*

google.*

google.*/*

so this would include mail.google.com, which I guess you don't want...

If I put in www.google.* some traffic remains undecrypted, but other is decrypted just like you said.

This means that making your own custom category to excluded from decryption does work, but just not always :-s

Do you have a support ticket open for this? If so, please keep us informed of the output.

oneidanation
Not applicable

‎07-17-2013 12:18 PM

Did you ever get his working for some reason ours that was working with a custom url category now is not working for wildcard urls in the category.

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2023 - Palo Alto Networks