06-18-2019 11:06 PM
Hi there.
Few days ago, I 'd changed one of my client's F/W .
Everything was okay but decryption wasn't working.
After few times, I found out what problem was causing that issues.
(added decryption profile and changed policies (service: application-default -> any)
But I don't know why do I have to add profile and changed service. So Please let me know why it has to.
there is information :
Before :
Model : 3050
Version : 7.1.7
mode: VW
HA(A-A)
After :
Model : 3260
Version : 8.1.7
mode : L3
HA : A-P
Thank you.
06-19-2019 07:35 AM
Hello,
Was decryption working prior to the HA change? If not then the policies are incorrect because of decryption.
I.E. the firewall will detect ssl over tcp/443 then decrypt it, the traffic is then reinspected and is determined to be web-browsing over tcp/443 instead of tcp/80 so it breaks unless you allow web-browsing over tcp/443.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC
Heop that helps.
06-20-2019 02:30 PM
I think I may see/understand your situation.
Prior to 9.x software, the PANOS software did not include secured ports in its AppID.
Example
When SSL:443 traffic is decrypted, the application becomes web-browsing:443 (port does not change)
because 443 is not app-default for web-browsing, then it is not longer a match.
If policy was app-default then you would need to change web-browsing to allow 80, 8080, and 443, or change to service any.
maybe this is your issue?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
