For details on cookie usage on our site, read our Privacy Policy
OSX update and Decryption
- LIVEcommunity
- Discussions
- General Topics
- OSX update and Decryption
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-09-2019 01:27 PM
I've installed our Root CA cert in the "System" keychain, and have it marked as trusted. I can successfully decrypt web traffic from a MAC running Mojave. No problems there.
The problem comes in when I try updating the OSX or even check for updates from the CLI.
When I run "softwareupdate -l" in terminal, In the logs on the firewall it appears to be coming through as web browsing app, and getting decrypted.
I ran a packet capture, and it shows the client is resetting the connection after succesffuly going out to swscan.apple.com, which is not whitelisted for decryption exclusions. Has anyone run into issues when trying to decrypt on OSX with a trusted root cert, while trying to update the operating system itself?
Guessing adding these domains to decryption exclusion is going to fix this?
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-09-2019 06:48 PM
Whitelist the following:
- gg.apple.com
- gnf-mdn.apple.com
- gnf-mr.apple.com
- gs.apple.com
- ig.apple.com
- mesu.apple.com
- skl.apple.com
- swcdn.apple.com
- swdist.apple.com
- swdownload.apple.com
- swpost.apple.com
- swscan.apple.com
- updates-http.cdn-apple.com
- updates.cdn-apple.com
- xp.apple.com
That should take care of the software updates and allow your clients to actually update successfully.
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-10-2019 07:04 AM
Correct. Exclude those domains from decryption and your clients should be able to check for and download updates again.
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-09-2019 06:48 PM
Whitelist the following:
- gg.apple.com
- gnf-mdn.apple.com
- gnf-mr.apple.com
- gs.apple.com
- ig.apple.com
- mesu.apple.com
- skl.apple.com
- swcdn.apple.com
- swdist.apple.com
- swdownload.apple.com
- swpost.apple.com
- swscan.apple.com
- updates-http.cdn-apple.com
- updates.cdn-apple.com
- xp.apple.com
That should take care of the software updates and allow your clients to actually update successfully.
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-10-2019 07:00 AM - edited 09-10-2019 07:01 AM
Perfect! As always, an excellent reply! Thank you. When you say whitelist- you mean exclude decryption right?
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-10-2019 07:04 AM
Correct. Exclude those domains from decryption and your clients should be able to check for and download updates again.
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-18-2020 01:18 AM
Hi,BPry
>Whitelist the following:
>....
Andrew
- Issues with sending Email Updates from Palo Alto Firewall in General Topics
- Migrate Panorama to AWS in Panorama Discussions
- Endpoint Remote Agent Update Failed (Good connection) in Cortex XDR Discussions
- User insertion fail with keep alive header enable in Next-Generation Firewall Discussions
- I want to attach attachment in incident using playbook. in Cortex XSOAR Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
