This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

SSL Decryption and Reddit Posting

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL Decryption and Reddit Posting

nreynders
L1 Bithead

‎01-29-2021 10:19 AM

Last year I implemented a rule to allow users in my company access to the reddit.com site. It is in our company policy to disallow sharing messages on social media, so I implemented this rule with URL filtering (chat/messages/etc...) and only allowing the appid "reddit-base", not "reddit-posting". This worked at the time, and has stopped functioning properly some time in the past year.

 

Now, users are still limited from messaging/chat/etc... but can post comments and new threads on the site.

 

This relates to SSL decryption as I was digging down the rabbit-hole and think that the "reddit-posting" appid has switched over to "web-browsing". I was wondering :

1. If I implement SSL decryption on reddit, will it pick up the "reddit-posting" appid again?

2. Why do I no longer see "reddit-posting" in my logs?

3. What can SSL decryption do--or can't do--to help me solve this issue?

4. Is this a more-so a question about how PA identifies appids for reddit?

0 Likes Likes
4 REPLIES 4

Brandon_Wertz
L6 Presenter

‎01-29-2021 01:39 PM

@nreynders wrote:

Last year I implemented a rule to allow users in my company access to the reddit.com site. It is in our company policy to disallow sharing messages on social media, so I implemented this rule with URL filtering (chat/messages/etc...) and only allowing the appid "reddit-base", not "reddit-posting". This worked at the time, and has stopped functioning properly some time in the past year.

 

Now, users are still limited from messaging/chat/etc... but can post comments and new threads on the site.

 

This relates to SSL decryption as I was digging down the rabbit-hole and think that the "reddit-posting" appid has switched over to "web-browsing". I was wondering :

1. If I implement SSL decryption on reddit, will it pick up the "reddit-posting" appid again?

2. Why do I no longer see "reddit-posting" in my logs?

3. What can SSL decryption do--or can't do--to help me solve this issue?

4. Is this a more-so a question about how PA identifies appids for reddit?

 

When you built the policy last year and it worked with the proper APP-ID being identified had SSL decryption been configured?  In general the answer is always going to be, yes, to ensure proper application of policy and identify traffic as the right APP-ID SSL decryption will always be looked at needing to be deployed.  SSL decryption breaks open the SSL/TLS packets exposing the encrypted payload.  APP-ID is going to be based on being able to properly see a packets contents/payload.  So if the packet is encrypted there's certainly going to be a limitation of Palo's ability to apply the correct application to traffic traversing the firewall. 

0 Likes Likes
(1)

brianpauler
L0 Member

‎07-16-2021 11:10 PM

Did you add a ssl profile to the decryption rules as well? If so, check which ciphers you've selected as being ok, because this can be a cause of the Palo dropping the SSL connection.

Also if you are using Chrome, make sure you either disable the Quic protocol or block it on the Palo. Quic is Https over UDP, which the Palo can't decrypt. This only affects chrome though, so also check with IE to see if the same issues occur.

0 Likes Likes
(1)

nreynders
L1 Bithead
In response to Brandon_Wertz

‎10-20-2021 07:21 AM

As an update, we've implemented full SSL decryption since my original post for users, and now the issue persists by having all reddit related web traffic come through as "reddit-base". Previously--when first implemented--"reddit-posting" app-id would appear and function normally. By excluding this from our allow rule we could prevent users from messaging, signing in, commenting, etc... seems to not be the case anymore.

 

I opened a case with PA and they let me know this is a known issue being tracked as bug id CON-50447 but I don't have much more information than that. They are able to reproduce on their end, so hopefully some additional visibility will help.

0 Likes Likes

nreynders
L1 Bithead
In response to brianpauler

‎10-20-2021 07:25 AM

Thanks for the additional info here! I have noticed Quic protocol coming through, but I can also replicate the issue on IE and Firefox.

 

We implemented SSL decryption for our users since the time of my first post, now all reddit related traffic comes through as "reddit-base", still no reddit-posting. PA verified that they can replicate the bug on their end, said they are looking into it with CON-50447.

0 Likes Likes
  • 3171 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks