HTTPS browsing

Reply
SimasK
Not applicable

HTTPS browsing

I made a quite shocking discovery about PA and how it inspects SSL encrypted traffic.

Please correct me if I'm wrong.

1. To allow simple HTTPS web browsing traffic it isn't enough to allow "web-browsing" application in the policy, you must to allow "SSL" application as well, otherwise only HTTP browsing will work, but not HTTPS.

2. All non-HTTP traffic which is encrypted with SLL, but PA hasn't application signature for it (in other words cannot classify it to any known application), is classified as SSL.

This means, that if you allow HTTPS browsing you also allow all other SSL encrypted traffic for which PA cannot recognize, (it means any application, which isn't very popular and is using SSL can bypass PA security).

So far I couldn't find any way how to allow HTTPS browsing and block unclassified SSL traffic at the same time. I attached screenshot with my logs, where.unrecognized SSL traffic is permitted along with HTTPS traffic and nothing can be done to prevent it.

::smileyhappy:

kbrazil
L4 Transporter

Hi there,

It is impossible to tell which application is running within an SSL session without decrypting it.  That is why the Palo Alto Networks firewall has SSL decryption capability.  This way you get full App-ID for SSL Encrypted traffic.

URL Filtering profiles are also effective with encrypted and decrypted SSL traffic.

Cheers,

Kelly

SimasK
Not applicable

Dear Kelly,

Please read the question before answering, I think I provided enough information, to imply that SSL encryption is enabled and if you don't know how to answer please don't answer :smileyhappy: The question is about what PA is doing when it finds non-http traffic after SSL decryption.

BR

Simas

kbrazil
L4 Transporter

Hi Simas,

Sorry, I didn't see you mention a decryption policy in your question.  I would have assumed that unknown, decrypted flows would show up as unknown-tcp.  Not sure if that is working as designed.  You might check with Support on that.

Cheers,

Kelly

KGC
L3 Networker

If you are indeed decrypting SSL, you should have said so; your original message does not make that implication at all clear.

When we tested SSL decryption we were able to identify all manner of applications which hide inside SSL.

Keep in mind that some applications will "pretend" to use SSL on TCP 443 while using their own encryption methods. So even SSL decryption would not help you here.

SimasK
Not applicable

Dear ksemenov,

If you don't know how to answer my question please don't, I don't want to troll here :smileyhappy: Thank You.

KGC
L3 Networker

Not a problem, happy to oblige.

I have a feeling your smiley disposition will net you very little help.

Good luck.

jpa
L4 Transporter

1. To allow simple HTTPS web browsing traffic it isn't enough to allow  "web-browsing" application in the policy, you must to allow "SSL"  application as well, otherwise only HTTP browsing will work, but not  HTTPS.

(jerish) -  The application Webbrowsing detects HTTP only. To allow HTTPS, you must use the application SSL only. No need to use web-browsing app in the policy.

You  canget details abou the application from the Applipedia at http://ww2.paloaltonetworks.com/applipedia/

2> You must have a decrytpion rule to decrypt SSL connects to look for non-HTTPS applications. You can create a security policy to allow application SSL only.

Any unknown apps will show up as unknown-tcp. Do you happen to have list to apps usign SSL that were permitted?

jpa
L4 Transporter

Also- can you verify from your log details the session was successfuly decyrpted? You will see a field for "SSL decryption" in the log details.

SimasK
Not applicable

To clarify things:

SSL decoding is enabled for all traffic and "block if failed to decrypt" option is enabled. Logging in all security policies is enabled also, I'm logging all URL categories as well. I attached screenshot of my decryption policy.

HTTPS browsing traffic is treated and logged as it should (one log in the traffic tab as "web browsing" application and one in URL filtering tab), from the certificates used I can see, that PA decrypts browsing traffic as it should.

However there are tons of logs (for example from microsoft cloud services clients), where traffic is logged as SSL application in Traffic log tab, it also marked as decrypted traffic, no logs in URL filtering log tab appears. I attached one of such log. I made assumtion, that if PA encounters unknown type of application, it marks it as SSL trafic and allows it.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!