PA-VM not recognizing SSL and denying traffic

Reply
Highlighted
L4 Transporter

PA-VM not recognizing SSL and denying traffic

Hello,

 

We are implementing SSL Decryption to PA.

 

Because of this forcepoint agent (that is installed on theworkstation), the return traffic from the Internet (ie: facebook.com, etc) will be denied by the firewall as the SSL certificate has been changed by forcepoint and it is considered untrusted by the firewall.

 

Do you have any recommendation for this kind of setup?

Highlighted
L7 Applicator

Is the forcepoint certificate selfsigned?

you could generate a certificate from the same rootCA as the one you're using for decryption

Tom Piens - PANgurus.com
Find my book at amazon.com/dp/1789956374
Highlighted
Cyber Elite

Hello,

Also if you are using Applications to identify traffic, you will need to specify the 'Services/Ports' as well. 

 

i.e.

ssl is port 443 and web-browsing is port 80. With ssl decryption enabled, you will now see web-browsing traffic over port 443.

 

So you now have to adjust some of your policies as follows:

image.png

 

Check the logs and see whay the traffic is getting blocked.

 

Hope this helps!

Highlighted
L7 Applicator

To make it work, just take the CA certificate that your forcepoint system is using to create the certs for users. 

 

Device tab > Certificate Management > Certificates > Import. Select the forcepoint CA's public key. Once that's done, click the cert name in the UI and click the "Trusted Root CA" checkbox. Hit ok, then commit. 

 

The firewall should trust any future connections from that cert.

Highlighted
L4 Transporter

Hi @gwesson @OtakarKlier @reaper,

 

Thank you for the responses. We have been talking to Forcepoint regarding this. IF it is possible then the problem solved.

 

The issue is whether forcepoint will allow for installation of SSL cert. If that’s not possible what solution do we have?

 

Another solution is to bypass certain URL from using forcepoint. This is possible from Forcepoint perspective as it allows you to bypass certain URL (using domain name and wildcards).

 

However, this is not ideal solution.

Highlighted
Cyber Elite

Hello,

What about not ssl decrypting the forcepoint traffic?

 

Just a thought.

Highlighted
L4 Transporter

Hi @OtakarKlier

 

We implemented SSL decryption to certain URL category. It didn’t work due to the workstation has forcepoint agent. 

We tried the same to workstation that has no forcepoint agent and SSL decryption work fine.

 

If there’s forcepoint agent, forcepoint will intercept the traffic and perform its own encryption and then contact forcepoint cloud service to perform URL Filtering anf malware scanning before passing the traffic to destination.

The return traffic follows the same path.

 

In summary, firewall could not perform SSL Decryption due to it thought the client didn’t have SSL certificate.

Highlighted
L4 Transporter

Hi all,

 

Closing this thread, as TAC has suggested a workaround for the time being...i.e. disable "block session with untrusted issuers " in decryption profile. FW will not deny the traffic even if we don't trust forcepoint CA and forward certificate to client.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!