issue with SSL decrypt-forward proxy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

issue with SSL decrypt-forward proxy

L3 Networker

Customer Network configured with SSL decrypt-forward proxy. Now they can't able to browse more sites (eg:birdres.com, sap.snn,etc).

They were not satisfied with exclude ssl decrypt. (due to more no.of sites in exclude list). Is there any other way?

Thanks

1 accepted solution

Accepted Solutions

Hi All,

Thank You for your replies.

I opened a TAC case for this issue.

TAC engineer said these two sites requiring the client side authentication. He also demonstrates it using HTTP Watch( HTTP debugger).

So this two sites also in SSL-decrypt exclude list for PAN FW.

View solution in original post

8 REPLIES 8

L5 Sessionator

Hi all,

How is configured you decryption policy ?

If you access for exemple to http://www.birdres.com, decryption should have no impact on it because it's http and not ssl.

which PA model ? wich version ?

Please read: How to Implement SSL Decryption

Hope help

V.

L7 Applicator

Hello Javith,

Could you please verify the URL's, which is not working as expected with below mentioned list. There are few applications that do not play well when decryption is turned on, on the PA firewall.

Here is a document with a list of the applications we've already identified that should be excluded from decryption:

List of Applications Excluded from SSL Decryption  

Reference doc: How to Exclude a Single URL from SSL Decryption

Thanks

Hi Hulk,

When browsing http://www.birdres.com (and 70 other sites ) they got the certification error message in browser. Customer don't want to configure exclude-list for those 70sites-not related to ur exclude rule (which will keep on increasing). If they proceed with the certification error msg then webpage loaded and displayed. then again got cert error within a second.

This may be relevant:

SSL Decryption for Some Site Shows as Not Trusted

I checked https://www.birdres.com (rather than http://) and found that it does not use the GoDaddy intermediate CA referenced in the above article, but it's possible that the "Verisign Class 3 International Server CA - G3" intermediate CA is in the same boat as the article I provided.

Try grabbing that Verisign intermediate CA and installing it as a trusted root on the firewall that is doing the decryption.

Hope this helps,

Greg

Hi,

Can i copy the same root CA (which is in the article) and load into the firewall ?

Thanks

The one in the article is not a root, but rather an Intermediate CA. It's for GoDaddy, and you're welcome to install it (I recommend doing so in fact). It won't help you if the Verisign cert I talked about is missing, because Verisign is not GoDaddy so you'd need to get the Verisign cert separately.

My recommendation is to try the steps in the article, and see if the number of sites you have issues with is reduced at all. If not, then the issue discussed in the article may not be what you are affected with.

Best,

Greg

Hi all,

I loaded the CA as per gwesson recommendation. But two of these sites(will keep increasing) remains with cert error.

I see the certificates of these two sites(scn.sap.com/welcome and birdres.com) - both doesn't have public audit records and not trusted.

one site with verisign and other site with geo trust cert..Anybody please suggest.

Thanks

Hi All,

Thank You for your replies.

I opened a TAC case for this issue.

TAC engineer said these two sites requiring the client side authentication. He also demonstrates it using HTTP Watch( HTTP debugger).

So this two sites also in SSL-decrypt exclude list for PAN FW.

  • 1 accepted solution
  • 3751 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!