SSL Decryption and Application Default

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL Decryption and Application Default

L0 Member

Best practice for building security policy is.  For allow traffic always define the service as application-default, that way you only create session for applications on there default port and only perform application ID for those session this reducing the load on the unit from both a session and application id perspective.

This works great, untill you switch on SSL decryption.  At these point all your traffic starts failing as the traffic is now not on the default port of the application but more than likely on port 443.  So far the only solution to this problem is to change all the services to all, which increases the session count and increases the load on the app id processor.

What is the solution to this problem?  I feel this problem can only be resolved by one of two ways.

1. Set all applications default ports to include 443

or

2. Allow the ability to define application default and additional services in the service column.

Can someone please advise, is there a feature request for this feature, without it I don't see the SSL decryption functionality to be much more than a tick in the box rather than a feasible solution to larger deployments?

2 REPLIES 2

L6 Presenter

With ssl-d enabled, apps with default port of 80 running through the ssl tunnel will not match the app-default for service. Web-Browsing on app-default allowed and ssl on app-default allowed, PAN device will not allow web-browsing over ssl that has been decrypted. You'll need to explicitly allow web-browsing on 443.

-Renato    

Hi,

Now the simplest workaround is to create a policy to allow web-browsing over port 80 and 443.

That should help.

Regards,

Jones

  • 2420 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!