Issues with SSL Forward Proxy in Lab Environment

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Issues with SSL Forward Proxy in Lab Environment

L0 Member

Hi!

 

I've recently been trying to setup decryption on my PA-220 in a lab environment and have not been able to get it set up correctly so far. It is licensed, up-to-date, and currently running 8.1

 

decryptionpolicy001.pngdecryptionpolicy002.pngdecryptionpolicy003.pngdecryptionpolicy004.png

benball_0-1635639604869.png

 

The steps that I've taken so far are to setup a decryption policy (the settings of which are included above), generate a self-signed certificate, set that certificate as the Forward Trust Certificate, commit and install the certificate onto one of the machine's.

 

unknown.png

 

benball_0-1635641186575.png

 

However, after each attempt, I'm getting the above traffic; I seemingly get an allow followed by a policy-deny against the interzone-default.

 

Does anyone have any ideas what I may be doing incorrectly? Any help is greatly appreciated.

 

Thanks!

 

 

Additionally, I'm including my general setup below. If any additional information is needed, feel free to ask.

 

benball_1-1635639989884.png

 

benball_2-1635640059943.png

 

benball_3-1635640087342.png

 

benball_4-1635640149129.png

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @benball ,

 

This is very common with PAN-OS 8.1 and below.  Once the traffic is decrypted, the NGFW recognizes the decrypted application as web-browsing.  Web-browsing on tcp/443 does not match any of your rules and therefore is dropped by the interzone-default rule.

 

Create a new rule to allow web-browsing on service-https, and your configuration will work.  This means that you configured decryption correctly!  [Edit yet again.]  Now that you are decrypting traffic, your NGFW will recognize many more web apps like facebook, google, etc.  So, you may as well allow any app outbound on 443 until you decide if you will build a full whitelist.

 

PAN-OS 9.0 added secure ports to applications so that web-browsing with application-default will work with SSL decryption and you do not need to create a separate rule. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-release-notes/pan-os-9-0-release-information/fea...

 

Thanks,

 

Tom

 

PS You can also add the Decrypted column in the traffic logs to verify if the NGFW is decrypting traffic.

 

Help the community: Like helpful comments and mark solutions.

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

Hi @benball ,

 

This is very common with PAN-OS 8.1 and below.  Once the traffic is decrypted, the NGFW recognizes the decrypted application as web-browsing.  Web-browsing on tcp/443 does not match any of your rules and therefore is dropped by the interzone-default rule.

 

Create a new rule to allow web-browsing on service-https, and your configuration will work.  This means that you configured decryption correctly!  [Edit yet again.]  Now that you are decrypting traffic, your NGFW will recognize many more web apps like facebook, google, etc.  So, you may as well allow any app outbound on 443 until you decide if you will build a full whitelist.

 

PAN-OS 9.0 added secure ports to applications so that web-browsing with application-default will work with SSL decryption and you do not need to create a separate rule. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-release-notes/pan-os-9-0-release-information/fea...

 

Thanks,

 

Tom

 

PS You can also add the Decrypted column in the traffic logs to verify if the NGFW is decrypting traffic.

 

Help the community: Like helpful comments and mark solutions.

Thank you for the help! That was the problem. I updated to PAN OS 9.0 and everything worked as expected.

  • 1 accepted solution
  • 2914 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!