- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
SSL decryption and Http redirection
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- SSL decryption and Http redirection
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
SSL decryption and Http redirection
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
08-26-2011 07:26 AM
Hi,
I am testing SSL decryption and it seems to work fine except when Http redirection is involved. E.g. when you try to connect to Https://gmail.com , google redirects you to https://www.google.com and it gives me a certificate error because of the hostname in the cert does (www.google.com in this case)not match with the hostname that you are connecting to (gmail.com originally). Is there some way of working around this ? I am using PANOS 4.0.4.
Regards,
Sunil
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
08-30-2011 09:38 AM
Hi Sunil,
Have you tried to access other SSL site? Do you see the cert error?
Even you have been redirected from gmail to www.google.com/mail, our device should self-signed another SSL cert in realtime. I wonder if actually the error will show up even you are accessing other SSL site with SSL decryption enabled as well.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
08-30-2011 09:43 AM
I agree sounds like your firewall certificate isn't trusted If certificates are working should see no error Another example is going to bankofamerica.com will will redirect to www and redirect to https Remember with new browsers they also don't like device self signed certificates and you will likely need a pki or 3rd party
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
08-30-2011 09:58 AM
Hi jleung,
Thanks for the response , I do not get the error when I access the other SSL webpages e.g. https://facebook.com https://twitter.com, the firewall sigins and I can see it in the details.
The error on IE is as follows when I connect to Https://gmail.com
The following article says that 3rd party certs cannot be used.
https://live.paloaltonetworks.com/message/7870
Regards,
Sunil
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-01-2011 09:05 AM
Hi Sunil,
I think there maybe something wrong with your cert setting.
For SSL decryption to work, our box need to have either an imported or self generated CA cert. For 4.0.x, you need to go to device -> certificate to generate one. When you generate it, remember to check the box "certificate authority". After that please click on the cert that you have just created and choose "forward trust certificate". Make sure you have chosen "SSL forward proxy" in the option field of the decryption policy. Commit your change.
Now if you go to any of the HTTPS website, you should always see the cert error from the browser, and when click on the cert, you should see it is issued by the PA box.
Remember that we need a CA cert for SSL decryption to function, so that we can always enumerate the original website SSL cert on the fly. It doesn't bind to any websites. The browser will always show the error prompt though the cert cn name and expiry date are valid and matched, because the SSL cert is issued/signed by our box rather than any of the trust CA by Windows/MAC OS.
If you don't want to see the error prompt, you could leverage AD to install all the certs to your corporate PCs, or leverage your corporate CA server (if there is one) to create a subordinate CA cert and import it to PA box.
Using 3rd party signed cert (e.g. bought one from Verisign) can never help you, as those 3rd parties are selling you site cert but not CA cert. And we need CA cert which can sign certs.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
10-31-2011 02:19 PM
Hi Sunil did you ever find out the answer to your question?
I'm running into the same issue on a project I'm working on due to a coworkers temporary incapacitation. If it go to https://www.gmail.com I will get an error saying The security certificate presented by this website was issued for a different website’s address. If I view the certificate I see that by my PA-2020(which is a trusted root) however the certificate has been issued to mail.google.com hence the error because the browser is expecting to see a certificate for www.gmail.com. Figured I'd check the forums before opening a case
Mike
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-16-2012 03:22 AM
Hey
did you solved this issue?
we are running 4.1.6 and have simmilar poblems with gmail when it is redirected to the https url
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-16-2012 06:36 AM
SSL decryption has been running fine for most website but it's true https://www.gmail.com is one of the few that is creating troubles.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-16-2012 07:39 AM
can you tell me the reason ?
thank you
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-16-2012 08:02 AM
My opinion is the following : www.gmail.com is hosted on same server than www.google.com , to achieve that Google didn't create (for once) a multi SAN SSL certificate but relies on TLSv1 feature that allows Client and Server to negociate which certificate to use.
If client asks for www.gmail.com, Server will present gmail.com certificate, if Client asks mail.google.com during TLS negociation then Server will present mail.google.com certificate.
As PA seems to fails explicitly on those I have several theories:
- PA doesn't support TLS certificate negociation when you ask it to decrypt so it will fallback to default presented certificate: mail.google.com.
- PA caches which certificate is associated to an IP (for performance benefits) and will reuse it next time you connect, whatever you are trying to negociate (until cache expires)
- A mix of the above theories.
- Authentication of Users through Captive portal query in General Topics
- Psiphon blocking in a non-decrypted network in General Topics
- Captive Portal HTTPS SSL decrypt in General Topics
- http to https redirect in General Topics
- can we allow sign in to webex only using defined company account ? in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
