SSL Decryption and Reddit Posting

cancel
Showing results for 
Search instead for 
Did you mean: 

SSL Decryption and Reddit Posting

L0 Member

Last year I implemented a rule to allow users in my company access to the reddit.com site. It is in our company policy to disallow sharing messages on social media, so I implemented this rule with URL filtering (chat/messages/etc...) and only allowing the appid "reddit-base", not "reddit-posting". This worked at the time, and has stopped functioning properly some time in the past year.

 

Now, users are still limited from messaging/chat/etc... but can post comments and new threads on the site.

 

This relates to SSL decryption as I was digging down the rabbit-hole and think that the "reddit-posting" appid has switched over to "web-browsing". I was wondering :

1. If I implement SSL decryption on reddit, will it pick up the "reddit-posting" appid again?

2. Why do I no longer see "reddit-posting" in my logs?

3. What can SSL decryption do--or can't do--to help me solve this issue?

4. Is this a more-so a question about how PA identifies appids for reddit?

2 REPLIES 2

Cyber Elite
Cyber Elite

@nreynders wrote:

Last year I implemented a rule to allow users in my company access to the reddit.com site. It is in our company policy to disallow sharing messages on social media, so I implemented this rule with URL filtering (chat/messages/etc...) and only allowing the appid "reddit-base", not "reddit-posting". This worked at the time, and has stopped functioning properly some time in the past year.

 

Now, users are still limited from messaging/chat/etc... but can post comments and new threads on the site.

 

This relates to SSL decryption as I was digging down the rabbit-hole and think that the "reddit-posting" appid has switched over to "web-browsing". I was wondering :

1. If I implement SSL decryption on reddit, will it pick up the "reddit-posting" appid again?

2. Why do I no longer see "reddit-posting" in my logs?

3. What can SSL decryption do--or can't do--to help me solve this issue?

4. Is this a more-so a question about how PA identifies appids for reddit?


 

When you built the policy last year and it worked with the proper APP-ID being identified had SSL decryption been configured?  In general the answer is always going to be, yes, to ensure proper application of policy and identify traffic as the right APP-ID SSL decryption will always be looked at needing to be deployed.  SSL decryption breaks open the SSL/TLS packets exposing the encrypted payload.  APP-ID is going to be based on being able to properly see a packets contents/payload.  So if the packet is encrypted there's certainly going to be a limitation of Palo's ability to apply the correct application to traffic traversing the firewall. 

L0 Member

Did you add a ssl profile to the decryption rules as well? If so, check which ciphers you've selected as being ok, because this can be a cause of the Palo dropping the SSL connection.

Also if you are using Chrome, make sure you either disable the Quic protocol or block it on the Palo. Quic is Https over UDP, which the Palo can't decrypt. This only affects chrome though, so also check with IE to see if the same issues occur.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!