Exclude www.google.* from decryption

Hithead · ‎03-26-2013

Hello,

are you able to exculde https://www.google.com ; https://www.google.de and other domains from SSL decryption?

Or clients complain about the slow loading of the website when they open Google or try to search something.

Currently i add in a white custom URL category:

www.google.com

www.google.com/

www.google.com/*

www.google.*

www.google.*/

www.google.*/*

and still the PA decrypt the traffic. If i try the policy from our location in US, it works (www.google.com). But if i try it from Germany - or other locations - the white list don't take affect.

Do you also have a slow loading of www.google.* if you enable ssl decyption?

mikand · ‎03-26-2013

If Im not mistaken you are supposed to use the stuff mentioned in the CN part of the cert being used at the server. Thats the only way PA can identify which site you are trying to reach when using HTTPS without actually decrypt anything.

Also it sounds strange that only google would be "slow".

Which hardware and panos do you use?

I know that PA-2000 series uses mgmtplane to generate the mitm-certs on the fly so in case mgmtplane is at 100% cpu then generating these mitm-certs would take an additional second(s) to complete and the client would experience this as a "slow" connection. However once terminated (since these certs I belienve are being cached) the speed should be good.

Other things to look into is how many bits the CA-cert is using (which will affect the time it takes to generate the mitm-cert on the fly).

Hithead · ‎03-27-2013

Hi,

the thing is: www.google.(whatever) loads slow. Some second delay. Also when established once a connection (Google open in your browser and search again something).

And yes, we are using the "powerful" and "stable" PA2000 series......with 5.0.3.....In the last versions the problem was also available....

Checked the bits: With/Without Decryption - www.google.de - 1024

Checked also hotmail.com: With Decryption: 1024 Without: 2048

(btw we using PA generated certificate for the ssl-decryption)

Whatever, i though to exclude the URL www.google.* as a workaround. But with my entries in the URL whitelist the PA still decrypt the session...?!

ewilen · ‎04-25-2013

Possibly this document will help:

What I take away from it is that if you want to exclude a site from decryption, you need to create a custom URL category that lists that site by ip address (page 3) not by name.

Hithead · ‎04-26-2013

I know its possible to exclude websites from decryption by adding the IP address....But i don't want to use IP address. Really need to exculde the URL www.google.* ...

ewilen · ‎04-26-2013

I understand--I'm dealing with a similar issue myself. I'm working with support, and if I can get a config working I'll update this thread.

Hithead · ‎05-06-2013

Thanks. Will be helpful!

oneidanation · ‎06-03-2013

You can exclude URLs by creating a Custom URL Category and add the sites into that URL Category then use the custom URL Category in your do not decrypt rule.

Hithead · ‎06-04-2013

yes, i know...

thats my problem in this thread....its not possible.

goku123 · ‎06-04-2013

Hi,

You could try to import cert used by google on the german site onto the PA device and then select the usage as "SSL Exclude Certificate" & see if you could prevent it from being decrypted.

Network Security

Cloud Security

Security Operations

Exclude www.google.* from decryption

Exclude www.google.* from decryption

Show your appreciation!