10-14-2015 09:32 AM
We just switched to PAN DB and are using the PAN to do SSL decryption. The policy i am using also does not have safe search enforcement enabled.
What i have tried is, do a packet capture and found the exact uri, exempted that uri from decryption and allowed it on the policy. Added addition domains and urls found on google searches to the same exemption. Clip art contiunes to come back with the thumbnails exed out. We have users on Office 2013 and thier clip art thumbnails work fine, as it looks like that version just does a bing image search.
Anyone seen the issue and have possible work arounds that i did not try?
10-15-2015 04:45 AM
Hi John
I'm not 100% clear on what you've set up but allow me to try and get you sorted
one important thing to consider when ssl is used, it that the URI in the http GET may differ significantly from the certificate's CN. Once ssl decryption is disabled, the http get will be invisible to the firewall so we can only base our actions on the CN or SNI.
if you filter out the IP of one of your hosts and try to load the clipart, can you differentiate which sessions are being blocked or which url lookups are denied (traffic log and url log). it may help in figuring out which url exactly is being blocked
If this isn't helpful, would you mind adding a few screenshots so we can see what you're seeing ?
thanks!
Tom
10-15-2015 06:29 AM
In my PCAPs the URI isnt HTTPS its HTTP, I first i thought it was the SSL decrytption that was causing the issue so i wrote an exception. But looks like that isnt necessary, but for some reason its still broken. It works fine for the same user off of our network and not going through our PAN.
10-20-2015 01:43 PM
From your screenshot, the URI matches the globalWhitelist category and the action=alert, so the request was not blocked. Just curious, what if you do not have any SSL decrypt policy applied to you, does it work?
10-22-2015 06:04 AM
When i am not going through the PAN clip art works perfectly fine, get back on the network and its broken again
10-27-2015 03:42 PM
What if you go thru the PA but disablle SSL decryption on your traffic. I want to know if SSL decryption is affecting the Clip Art access. Thanks.
10-29-2015 10:22 AM
I had the same problem, and I determined that it has to do with the fact that Microsoft moved all the clipart to bing.com and now when Office goes to read the PA is enforcing safe search and can not read it. Do you enforce safe search?
10-29-2015 11:10 AM
We do not enforce safe search on any of our policies. I saw this as a solution on Google but since i didnt have that enabled i was at a loss
10-29-2015 11:47 AM
I have the same problem and I thought it was safe search enforcement, but it sounds like maybe I was going down the wrong path.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
