09-02-2015 05:51 AM
Today we use "ssl" AppID in firewall rules. In case we would enable SSL decryption, is it needed to add the AppIDs of the decrypted traffic to the firewall rules, e.g. web-browsing, java, flash, or is the AppID staying "ssl" even when traffic is decrypted?
09-02-2015 11:11 AM
Does that mean the rule for the decrypted traffic should not use "application-default", since the decrypted traffic is still on port 443 and not the default port 80 for web-browsing? Or is the firewall smart enough to refer to the original encrypted traffic when we refer to that service?
09-02-2015 11:29 AM
I am not completely sure now what direction are we talking about 🙂 In any case, I would try with application-default service and if that does not work I would change service to any or try to investigate a bit more why does that exactly happen.
Copied from help of the firewall (I open that question mark so often to check things):
application-default—The selected applications are allowed or denied only on their default ports defined by Palo Alto Networks. This option is recommended for allow policies because it prevents applications from running on unusual ports and protocol which, if not intentional, can be a sign of undesired application behavior and usage.
Note that when you use this option, the device still checks for all applications on all ports but, with this configuration, applications are only allowed on their default ports and protocols.
So, with above in mind, again - if you did not change ports intentionally or go exotic with your setups, I think application-default would work.
Small disclaimer: I am still reluctant or a bit uncomfortable to make such general recommendation in either direction, I would rather help in understanding and everyone makes their own decisions at the end. We are all trying to enhance security of our networks here, and that means taking any recommendation with grain of salt and thinking how does it apply to your network.... I think it depends a lot on the granulation of the rules... for my home I have crude and rudimentary config, for work I always pay much more attention and spend more time thinking about it.
09-02-2015 12:03 PM
thank you for your extensive answers, much appreciated and helped me to understand the behavior. I also found a KB article about it: https://live.paloaltonetworks.com/t5/Configuration-Articles/After-Configuring-SSL-Decryption-Web-Bro...
I wish you could configure SSL decryption in a way that it does not change the AppID but just scans for threats and viruses in the content. Like this it makes large rulesets even larger and more complicated.
09-02-2015 12:22 PM
no problem. Thanks for sharing the link - it turns out I was wrong baudy, chances are you will have problems leaving it as application-default, it needs to be changed to either app you need or to any.
Anon1 - don't be discouraged, if it is inbound than it's ok and easy - it will be only one app and you already know what is it 🙂
In your case, considering your last link, it is outbound decryption - than, treat it as you treated it before, no additional rules are required? Because, now that you decrypt it does not mean you need to work more, it only means that you see more of your traffic. Same rules as before will apply (provided you change once from application default to individual applications in sec. policies or create an app group to ease that process if you will re-use app list). It requires _some_ work, in the worst case creating an app group and adding apps you needed once. Than in the rest of the rules only a small change is needed, from application default to your custom application list.
04-12-2021 05:33 PM
Sorry ONLY port 80 is allowed when the app is web-browsing https://applipedia.paloaltonetworks.com/
the decrypted traffic will be identified as web-browsing on port 443 and be denied unless a custom ssl is also permitted in the rule
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!