PAN-OS 7.1 - SSL Decryption Issues

Reply
Highlighted
L6 Presenter

Re: PAN-OS 7.1 - SSL Decryption Issues

If there's no decrypt policy, the traffic would be identified as app=SSL port=tcp/443 as seen in your log screenshot.  The PA would not be identifying other apps inside of that SSL session so the session stays at SSL.

 

If SSL decryption is triggerred, we would initially see the app=SSL port=tcp/443.  Once decryption occurs, the PA can see inside the SSL session and ID other apps.  However, all apps tied to this session will be running over port tcp/443.

 

I just tested with 7.1.0 and I was able to hit multiples SSL sites (bank, google, yahoo mail, gmail) and the SSL decryption worked for me.  Here's a snapshot of my traffic log where the app web-browsing was discovered after decryption and it occurs over port tcp/443.

 decrypt-log.png

 

Thanks,

Highlighted
L3 Networker

Re: PAN-OS 7.1 - SSL Decryption Issues

Interesting... Can you send me your security rules example? Also, as this also affect other applications that could be wrapped in SSL for this session, does that mean in the case of say, RDP wrapped in SSL for View, will you now have to add 443 to the allow RDP rule? This is going to complicate the simplicity of writing rules for sure.

I will give this a shot again.

-Matt
Highlighted
L3 Networker

Re: PAN-OS 7.1 - SSL Decryption Issues

I ended up deleting my general rule and recreating your suggested rule and my existing rule and this seemed to do the trick.  Not quite sure why this made a difference.  Perhaps I fat fingered the rule before.

 

Ultimately, I feel that something as simple as not having 443 included in the web-browsing app as a potential port is going to cause allot of grief and support tickets.  I appreciate the new method in which the rules are now handled, but we as engineers request that things remain simple.  I'm more concerned that other applications that may get bundled in SSL (but not have SSL in their app-id ports) may also fall victim to this issue.  I'm not quite sure how applications inside something such as a SSL VPN will be handled.


Thanks for the assistance in this, I learned something.

 

-Matt

Highlighted
L3 Networker

Re: PAN-OS 7.1 - SSL Decryption Issues

I had this same issue after upgrade from 7.0.12 to 7.1.7 and so far support has not been able to figure out why my decryption stopped working. I put in a rule for web-browsing for tcp/443 as suggested in this post and my decryption seems to be working again. Great work on this post guys!

-Brad
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!