SSL Decryption and Reddit Posting

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL Decryption and Reddit Posting

L1 Bithead

Last year I implemented a rule to allow users in my company access to the reddit.com site. It is in our company policy to disallow sharing messages on social media, so I implemented this rule with URL filtering (chat/messages/etc...) and only allowing the appid "reddit-base", not "reddit-posting". This worked at the time, and has stopped functioning properly some time in the past year.

 

Now, users are still limited from messaging/chat/etc... but can post comments and new threads on the site.

 

This relates to SSL decryption as I was digging down the rabbit-hole and think that the "reddit-posting" appid has switched over to "web-browsing". I was wondering :

1. If I implement SSL decryption on reddit, will it pick up the "reddit-posting" appid again?

2. Why do I no longer see "reddit-posting" in my logs?

3. What can SSL decryption do--or can't do--to help me solve this issue?

4. Is this a more-so a question about how PA identifies appids for reddit?

4 REPLIES 4

L6 Presenter

@nreynders wrote:

Last year I implemented a rule to allow users in my company access to the reddit.com site. It is in our company policy to disallow sharing messages on social media, so I implemented this rule with URL filtering (chat/messages/etc...) and only allowing the appid "reddit-base", not "reddit-posting". This worked at the time, and has stopped functioning properly some time in the past year.

 

Now, users are still limited from messaging/chat/etc... but can post comments and new threads on the site.

 

This relates to SSL decryption as I was digging down the rabbit-hole and think that the "reddit-posting" appid has switched over to "web-browsing". I was wondering :

1. If I implement SSL decryption on reddit, will it pick up the "reddit-posting" appid again?

2. Why do I no longer see "reddit-posting" in my logs?

3. What can SSL decryption do--or can't do--to help me solve this issue?

4. Is this a more-so a question about how PA identifies appids for reddit?


 

When you built the policy last year and it worked with the proper APP-ID being identified had SSL decryption been configured?  In general the answer is always going to be, yes, to ensure proper application of policy and identify traffic as the right APP-ID SSL decryption will always be looked at needing to be deployed.  SSL decryption breaks open the SSL/TLS packets exposing the encrypted payload.  APP-ID is going to be based on being able to properly see a packets contents/payload.  So if the packet is encrypted there's certainly going to be a limitation of Palo's ability to apply the correct application to traffic traversing the firewall. 

L0 Member

Did you add a ssl profile to the decryption rules as well? If so, check which ciphers you've selected as being ok, because this can be a cause of the Palo dropping the SSL connection.

Also if you are using Chrome, make sure you either disable the Quic protocol or block it on the Palo. Quic is Https over UDP, which the Palo can't decrypt. This only affects chrome though, so also check with IE to see if the same issues occur.

As an update, we've implemented full SSL decryption since my original post for users, and now the issue persists by having all reddit related web traffic come through as "reddit-base". Previously--when first implemented--"reddit-posting" app-id would appear and function normally. By excluding this from our allow rule we could prevent users from messaging, signing in, commenting, etc... seems to not be the case anymore.

 

I opened a case with PA and they let me know this is a known issue being tracked as bug id CON-50447 but I don't have much more information than that. They are able to reproduce on their end, so hopefully some additional visibility will help.

Thanks for the additional info here! I have noticed Quic protocol coming through, but I can also replicate the issue on IE and Firefox.

 

We implemented SSL decryption for our users since the time of my first post, now all reddit related traffic comes through as "reddit-base", still no reddit-posting. PA verified that they can replicate the bug on their end, said they are looking into it with CON-50447.

  • 3549 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!