Paloalto VPN Traffic Inspection.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Paloalto VPN Traffic Inspection.

L1 Bithead

 

I have a question regarding Paloalto VPN Traffic Inspection.

Is there a way to inspect traffic that users inside use commercial VPN (free VPN program) on the outside Internet?

 

2 accepted solutions

Accepted Solutions

Hi @LeeDongwon ,

 

It would say in general no, you cannot.

 

If the VPN client is using IPsec there is no way for the firewall to decrypt it and inspect it. As mentioned here https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/tunnel-content-inspection/tunn... only none-encrypted IPsec can be inspected.

 

If the VPN client is using SSL,I would assume it is possible to decrypt it with SSL decryption policy, BUT this means the firewall will need to replace the server certificate. And I would assume that most SSL VPN clients are using certificate pinning (expect specific server certificate).

 

Most free VPN clients are using SSL, so you may decrypt it with SSL decryption policy, but my guess this will break the client and will not connect (because the server cert will be signed by different CA)

View solution in original post

Cyber Elite
Cyber Elite

@LeeDongwon,

So I'll preface this by saying that there's a difference between doing something and doing it reliably, but you can identify some traffic to popular VPN programs and proxies. Nord would be an example where inspecting the traffic can see some of it's traffic identified properly as nordvpn, and you could then build a group to block those identified clients for violating policy. If you're inspecting all outbound traffic it also breaks the app from functioning unless you modify some default settings.

Again though, even in that example it doesn't properly identify most traffic and the certificate mismatch issue can be bypassed by the user. 

 

If you're looking for simple best effort to say that you're attempting to block them then just block the proxy-avoidance-and-anonymizers category for all internal users. That's the easiest way to deal with it without causing too much work and playing a constant cat and mouse came with it.

If you actually need to prevent them from a compliance aspect the proper way would be to block them from installing something that you don't want via things like AppLocker and extension blocking for web browsers. For clients that absolutely needed this layer on the firewall as well, what I've done in the past is enforce a GlobalProtect connection on all clients for network access. Then you can utilize HIP to check for VPN indicators (you'll need to utilize custom checks for this) and block access if anyone is identified running VPN software that isn't GlobalProtect. 

View solution in original post

2 REPLIES 2

Hi @LeeDongwon ,

 

It would say in general no, you cannot.

 

If the VPN client is using IPsec there is no way for the firewall to decrypt it and inspect it. As mentioned here https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/tunnel-content-inspection/tunn... only none-encrypted IPsec can be inspected.

 

If the VPN client is using SSL,I would assume it is possible to decrypt it with SSL decryption policy, BUT this means the firewall will need to replace the server certificate. And I would assume that most SSL VPN clients are using certificate pinning (expect specific server certificate).

 

Most free VPN clients are using SSL, so you may decrypt it with SSL decryption policy, but my guess this will break the client and will not connect (because the server cert will be signed by different CA)

Cyber Elite
Cyber Elite

@LeeDongwon,

So I'll preface this by saying that there's a difference between doing something and doing it reliably, but you can identify some traffic to popular VPN programs and proxies. Nord would be an example where inspecting the traffic can see some of it's traffic identified properly as nordvpn, and you could then build a group to block those identified clients for violating policy. If you're inspecting all outbound traffic it also breaks the app from functioning unless you modify some default settings.

Again though, even in that example it doesn't properly identify most traffic and the certificate mismatch issue can be bypassed by the user. 

 

If you're looking for simple best effort to say that you're attempting to block them then just block the proxy-avoidance-and-anonymizers category for all internal users. That's the easiest way to deal with it without causing too much work and playing a constant cat and mouse came with it.

If you actually need to prevent them from a compliance aspect the proper way would be to block them from installing something that you don't want via things like AppLocker and extension blocking for web browsers. For clients that absolutely needed this layer on the firewall as well, what I've done in the past is enforce a GlobalProtect connection on all clients for network access. Then you can utilize HIP to check for VPN indicators (you'll need to utilize custom checks for this) and block access if anyone is identified running VPN software that isn't GlobalProtect. 

  • 2 accepted solutions
  • 1929 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!