I have question with SSL decryption.

Reply
Highlighted
L0 Member

I have question with SSL decryption.

Hi there.

Few days ago, I 'd changed one of my client's F/W .

Everything was okay but decryption wasn't working.

After few times, I found out what problem was causing that issues.
(added decryption profile and changed policies (service: application-default -> any)
But I don't know why do I have to add profile and changed service. So Please let me know why it has to.

 

there is information :

 

Before :
Model : 3050
Version : 7.1.7
mode: VW
HA(A-A)

 

After :
Model : 3260
Version : 8.1.7
mode : L3
HA : A-P

 

Thank you.

Tags (1)
Cyber Elite

Re: I have question with SSL decryption.

Hello,

Was decryption working prior to the HA change? If not then the policies are incorrect because of decryption.

 

I.E. the firewall will detect ssl over tcp/443 then decrypt it, the traffic is then reinspected and is determined to be web-browsing over tcp/443 instead of tcp/80 so it breaks unless you allow web-browsing over tcp/443.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC

 

 

 

Heop that helps.

Highlighted
Cyber Elite

Re: I have question with SSL decryption.

I think I may see/understand your situation. 

Prior to 9.x software, the PANOS software did not include secured ports in its AppID.

 

Example

When SSL:443 traffic is decrypted, the application becomes web-browsing:443 (port does not change)

 

because 443 is not app-default for web-browsing, then it is not longer a match.

If policy was app-default then you would need to change web-browsing to allow 80, 8080, and 443, or change to service any.

 

maybe this is your issue?

 

Help the community: Like helpful comments and mark solutions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!