06-05-2014 01:22 AM
Customer Network configured with SSL decrypt-forward proxy. Now they can't able to browse more sites (eg:birdres.com, sap.snn,etc).
They were not satisfied with exclude ssl decrypt. (due to more no.of sites in exclude list). Is there any other way?
Thanks
06-11-2014 03:18 AM
Hi All,
Thank You for your replies.
I opened a TAC case for this issue.
TAC engineer said these two sites requiring the client side authentication. He also demonstrates it using HTTP Watch( HTTP debugger).
So this two sites also in SSL-decrypt exclude list for PAN FW.
06-05-2014 08:20 AM
Hi all,
How is configured you decryption policy ?
If you access for exemple to http://www.birdres.com, decryption should have no impact on it because it's http and not ssl.
which PA model ? wich version ?
Please read: How to Implement SSL Decryption
Hope help
V.
06-05-2014 08:39 AM
Hello Javith,
Could you please verify the URL's, which is not working as expected with below mentioned list. There are few applications that do not play well when decryption is turned on, on the PA firewall.
Here is a document with a list of the applications we've already identified that should be excluded from decryption:
List of Applications Excluded from SSL Decryption
Reference doc: How to Exclude a Single URL from SSL Decryption
Thanks
06-05-2014 09:35 AM
Hi Hulk,
When browsing http://www.birdres.com (and 70 other sites ) they got the certification error message in browser. Customer don't want to configure exclude-list for those 70sites-not related to ur exclude rule (which will keep on increasing). If they proceed with the certification error msg then webpage loaded and displayed. then again got cert error within a second.
06-05-2014 09:52 AM
This may be relevant:
SSL Decryption for Some Site Shows as Not Trusted
I checked https://www.birdres.com (rather than http://) and found that it does not use the GoDaddy intermediate CA referenced in the above article, but it's possible that the "Verisign Class 3 International Server CA - G3" intermediate CA is in the same boat as the article I provided.
Try grabbing that Verisign intermediate CA and installing it as a trusted root on the firewall that is doing the decryption.
Hope this helps,
Greg
06-05-2014 10:28 AM
Hi,
Can i copy the same root CA (which is in the article) and load into the firewall ?
Thanks
06-05-2014 10:52 AM
The one in the article is not a root, but rather an Intermediate CA. It's for GoDaddy, and you're welcome to install it (I recommend doing so in fact). It won't help you if the Verisign cert I talked about is missing, because Verisign is not GoDaddy so you'd need to get the Verisign cert separately.
My recommendation is to try the steps in the article, and see if the number of sites you have issues with is reduced at all. If not, then the issue discussed in the article may not be what you are affected with.
Best,
Greg
06-05-2014 11:18 PM
Hi all,
I loaded the CA as per gwesson recommendation. But two of these sites(will keep increasing) remains with cert error.
I see the certificates of these two sites(scn.sap.com/welcome and birdres.com) - both doesn't have public audit records and not trusted.
one site with verisign and other site with geo trust cert..Anybody please suggest.
Thanks
06-11-2014 03:18 AM
Hi All,
Thank You for your replies.
I opened a TAC case for this issue.
TAC engineer said these two sites requiring the client side authentication. He also demonstrates it using HTTP Watch( HTTP debugger).
So this two sites also in SSL-decrypt exclude list for PAN FW.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
