How to SSL Bypass based on application

Reply
L2 Linker

How to SSL Bypass based on application

Hello,

 

I wanted to share a solution I have implemented recntly.

 

Bypassing SSL Decryption based on applications was a request I had from many customers.

I know there is an FR for that. but until then, with PAN-OS 8, it is possible to achieve differently.

 

I had a specific scenario where one of my customers had to connect to his customer's Pulse Secure SSL VPN device (collaboration feature). 

When using SSL Decryption on his PAN NGFW, the connection was failing and he had to manualy add the IP address of his customer to a bypass rule.

when you have hundreds of customers using that solution, and you need to add their IP address manualy, it is becoming problematic.

 

 

The idea is, dynamically adding the destination address to an SSL Bypass rule.

 

Here is how it goes...

 

Create a tag - Objects --> Tags:

tag.png

 

 

Create a Dynamic Address Group - Objects --> Address Groups

Add the previously created tag's name as a match

dynamic address group.png

Create a decryption rule with the new Address Group object as a destination with a 'no-decrypt' action. (pay attention to rules order)bypass rule.png

Create a Log Forwarding profile with a filter that will catch a specific application ('secure-access' for my scenario). Use Traffic as the log type.

 

 

log forwarding.png

 

Add a Built-in Action to tag the destination address

built-in action.png

 

 

Add the Log forwarding profile to the security rule that permitted the desired application originally.

security rule.png

 

Commit

Access the desired website (application), and verify the address has successfully been dynamically registered to the dynamic address group (click 'more'), and successfully SSL Bypassed.

 

 

Verify dyn address grp.png

 

 

 

Please share your thoughts..

 

 

 

 

 

Highlighted
Cyber Elite

Another really nice and creative way of using the awesome Log Forwarding Profile feature in PAN-OS 8!

Highlighted
L0 Member

This seems like an awesome solution. Any insight into whether it will work for PAN OS 7.1?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!