Home Decryption on a PA-220.

cancel
Showing results for 
Search instead for 
Did you mean: 

Home Decryption on a PA-220.

L3 Networker

I have a PA-220 at home and want to use it to obviously protect my home, but also to help prevent my children from accessing things I feel inappropriate. 

 

Obviously with encrypted traffic from things like gaming consoles and phones this is harder to do and decryption is required. 

 

My question is, what is the best way to implement decryption on traffic from these devices without breaking connectivity due to MITM issues? Can I get a cert from a CA and use that as the proxy forwarding certificate or is there something in particular I need to do to implement this?

 

Thanks!

11 REPLIES 11

@Gareth.Doyle 

 


@Gareth.Doyle wrote:

The URL category did not work. I'm not sure what URLs the gaming console is reaching out to, but none of them are similar to what typical computer connectivity uses.


Create URL Filtering profile and set all categories to "alert", except for those you definately want to block - those you can directly put with action "block". Put this profile on rule that is allow traffic form your consoles to Internet.

This will make sure that your firewall create a log for any URL that is able to recognize from SSL certificate. Go to Monitor -> URL logs and search with source IP address, you if you see any entries, that firewall is able to grab fqdn from the SSL certificate. As I mentioned this will be true as long as firewall is identifing the application as "web-browsing" or "ssl". Without decryption most of the traffic that is using SSL/TLS encryption will be categorizes as "ssl".

 

Probably "URL category did not work", because consoles are using QUICK. So you can block QUICK to force them to falback to standard TCP and check the URL logs again.

 

"I'm not sure what URLs the gaming console is reaching out to, but none of them are similar to what typical computer connectivity uses" - I am not sure what you mean by that, but it is irrelevant if the firewall is not able to grab the fqdn from server certificate.

While it isn't the exact behavior I want, I determined that if I added 1e100.net and *.1e100.net to the custom URL category I created, then add that to the block rule, it blocks all youtube traffic. Granted, this will also block any google related traffic, but it is configured just for the gaming console sources, so I'm not concerned at this point.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!