This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

SSL Decryption and Application Default

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL Decryption and Application Default

migration
L0 Member

‎10-12-2011 11:25 AM

Best practice for building security policy is.  For allow traffic always define the service as application-default, that way you only create session for applications on there default port and only perform application ID for those session this reducing the load on the unit from both a session and application id perspective.

This works great, untill you switch on SSL decryption.  At these point all your traffic starts failing as the traffic is now not on the default port of the application but more than likely on port 443.  So far the only solution to this problem is to change all the services to all, which increases the session count and increases the load on the app id processor.

What is the solution to this problem?  I feel this problem can only be resolved by one of two ways.

1. Set all applications default ports to include 443

or

2. Allow the ability to define application default and additional services in the service column.

Can someone please advise, is there a feature request for this feature, without it I don't see the SSL decryption functionality to be much more than a tick in the box rather than a feasible solution to larger deployments?

0 Likes Likes
2 REPLIES 2

gswcowboy
L6 Presenter

‎10-16-2011 05:32 PM

With ssl-d enabled, apps with default port of 80 running through the ssl tunnel will not match the app-default for service. Web-Browsing on app-default allowed and ssl on app-default allowed, PAN device will not allow web-browsing over ssl that has been decrypted. You'll need to explicitly allow web-browsing on 443.

-Renato    

jleung
L4 Transporter
In response to gswcowboy

‎10-16-2011 10:30 PM

Hi,

Now the simplest workaround is to create a policy to allow web-browsing over port 80 and 443.

That should help.

Regards,

Jones

  • 2186 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks