how to handle Google SSL traffic?

Reply
Highlighted
Not applicable

how to handle Google SSL traffic?

Hello,

I am new to PanOS devices, we recently got PA-200 router which is quite different from classic routers. Long story short - my problem is SSL traffic, I am trying to prioritize our traffic since for now we have only 10Mbit link, we have people working remotely over VPN, we have our own VoIP gateway in office, and there are people who are actively using Skype as collaboration tool. And on top of this there is Google with their content delivery ecosystem (https://peering.google.com/about/index.html) practically ruining my efforts to keep our connection efficient. Sure that bandwidth hogs like Dorpbox has been pushed down in priority as it is fairly easy by filtering it as application. But SSL traffic creates major problem since it is also used by Google to stream their content. Google empire has built a huge proxy network that can stream content very efficiently and thus flood the bandwidth. I need to somehow differentiate this content and make it lower priority among the SSL traffic that is required for work, not for entertainment. Here (Thousands of Youtube and Google IPs/Proxies) someone tried to organize the list of IPs, biggest majority of those are still correct and it probably would be efficient enough if I could filter against this list but I dont know how. The list can be broken down roughly in C-class IP subnets or IP ranges, to minimize number of entries but I still dont understand how to create a list of multiple IPs to filter against. In GUI I have to input each subnet or IP range manually as an entry and then group them together? Its too time consuming. and will create an enormous list of IPs in Management interface. I would prefer this list to be presented as single entity called "Google proxies" or something. Has anyone had this problem of defining an object that represents a huge list of IPs? Or maybe there are better ways to fight Google SSL traffic?

Thanks in advance,

Nils

Tags (3)
Highlighted
L4 Transporter

Nils,

Have you found any logs regarding that traffic? Is it being identified to a specific application by chance or does it just show up at SSL?


Are we performing SSL decryption?

I would imagine that if we could tie it down to an application (layer 7 inspection) we could throw it into the QoS (Quality of Service) policy therefore limiting the bandwidth and the priority.

Please give us some more information when you get the chance.

Thanks!

Highlighted
L7 Applicator

Jut to add to it: gmail.com doesn't have its own cert, it uses a SAN cert, but does a redirect partway through the transaction.

Thanks

Highlighted
Not applicable

All you can see in logs is that huge percentage of bandwidth belongs to SSL traffic, and some of those SSL sessions have large amounts of data transfered, up to couple hundreds of megabytes per session. Then get a list of top IPs that were invoved in large data transfer and they all fell in range of Google content delivery network. Youtube in particular is also SSL traffic from Google.

I understand that to analyse content in SSL traffic it needs to be decrypted. But I dont have the private key they are using, I have to substitute it with my own and that will not work with all SSL traffic, then I will need to create a list of hundreds of websites that should not be decrypted. Ok I dont really understand the whole SSL decryption thing on a router, I know it can be done properly (invisibly) if you have the private key of that traffic youre going to decrypt. Maybe I am wrong, will do some reading right now. I was just thinking maybe there is some workaround w/o involving SSL decryption, like feeding a huge list of IPs through API XML call.. If decryption is the best way to do it - I will set ip up. Just when I was considering doing it, I understood that its not possible to do it properly for all of SSL traffic.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!