05-11-2018 09:10 AM
PAN-OS 8.0.x
We have users not receiving updates for Windows Insider Program builds when SSL decryption is enabled.
Does anyone know what changes need to be made to make this work? I've solved a few other SSL decryption issues where decrypt-exceptions needed to be added or the CA imported as a trusted CA in the PA, but so far I have been unable to identify what needs to be done for this. I've seen decrypt-error and decrypt-cert-validation coming from this PC around the time of an update check so I know a cert probably needs to be added to the PA but have not yet been able to identify which one.
I temporarily used a decrypt profile that does not verify the CA but that alone did not fix it so we'll likely also need to add some exceptions as well. This was for testing - I am not going to keep a decrypt profile that does not verify CA.
05-16-2018 12:12 PM - edited 05-16-2018 12:13 PM
I found this in another live community posting regarding Windows updates. The exceptions were:
*.do.dsp.mp.microsoft.com
*.delivery.mp.microsoft.com
Once I added this, it started working.
05-11-2018 09:16 AM
Hello,
I could be wrong, but I think it uses the same update sites?
https://technet.microsoft.com/en-us/library/bb693717.aspx
Hope this helps.
05-11-2018 09:33 AM
I don't know in great detail about how it works, but I suspect it probably works differently. Normal windows downloads the updates - Insider updates download the build updates to upgrade to the next build. I believe this is more like an image then an update package.
05-11-2018 11:52 AM
Just curious, but do you know if the normal Windows update sites need to have SSL decryption exceptions in order to work with PAN-OS 8.0?
05-11-2018 11:54 AM
Hello,
All the URL's in that article should not be decrypted.
Regards,
05-12-2018 07:35 PM
It kind of sounds like you could be running into an instance that a lot of enterprises find themselves in, and I'm going to make some assumptions about your enviroment that may or may not be true.
1) You utilize WSUS/SCCM for the 'normal' endpoints to download their updates.
2) You don't run with SSL-Decryption either on your entire server VLAN or specifically for the WSUS/SCCM server.
3) These are the only users you have that require updates directly from Microsoft, as all others would update from the server.
Regardless of what the situation is, @OtakarKlier is right that you can't decrypt this traffic due to how the computer and Microsoft authenticate when pulling the updates from Microsoft's servers. I have multiple users utilizing the Insider program, myself included, and I didn't need to modify anything to get this to function correctly.
05-14-2018 07:18 AM - edited 05-14-2018 07:20 AM
I am a little confused. You said you didn't need to modify anything to get it working but you also said you can't decrypt this traffic. Do you mean that you did needed to add to the no-decrypt URLs as per the article for the regular windows updates but after that you did not need to do anything else for windows insider updates?
You are right, we are early in the outgoing on 443 decryption so it is not yet widespread, and also most windows workstations and servers do get central updates. We are on all Windows 10 if it makes a difference, I have read some things saying it might get updates differently or from a different place. I was hoping I would not need to add decrypt exceptions for windows since some exist by default, but if needed I will add exceptions.
Thanks!
05-14-2018 08:00 AM
What I was trying to say is that I didn't need to modify anything for my users running Insider builds outside of the decryption exceptions that I've already put in place for other users to pull normal Windows Updates. As @OtakarKlier mentioned Updates require a few decryption exceptions for them to work properly.
05-14-2018 08:02 AM
Thank you, I will give it a try and see what happens.
05-16-2018 12:12 PM - edited 05-16-2018 12:13 PM
I found this in another live community posting regarding Windows updates. The exceptions were:
*.do.dsp.mp.microsoft.com
*.delivery.mp.microsoft.com
Once I added this, it started working.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
