This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

SSL decryption issue for Windows Store

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL decryption issue for Windows Store

Go to solution
Farzana
L4 Transporter

‎05-03-2018 11:45 PM

Hello,

 

After enabling SSL Decryption, we cannot download from Windows store. Getting error below.

Tried excluding hostname with Microsoft but no luck. How to fix this issue?

 

Error-windows-store.jpgexclude-store-list-decrypt.JPG

 

 

Thanks in advance.

4 people had this problem.
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Remo
L7 Applicator

‎05-04-2018 08:58 AM

I am not sure if these are still all required exceptions but it is worth a try:

Screenshot_20180504-175517.jpg

View solution in original post

14 REPLIES 14

Go to solution
Remo
L7 Applicator

‎05-04-2018 08:58 AM

I am not sure if these are still all required exceptions but it is worth a try:

Screenshot_20180504-175517.jpg

Go to solution
Timotheous
L1 Bithead

‎12-16-2019 01:21 PM

fe3cr.delivery.mp.microsoft.com  is another.

Go to solution
MP18
Cyber Elite
Cyber Elite
In response to Remo

‎12-16-2019 09:20 PM

what is the reason we need to allow all the hosts?

if we allow *.microsoft.com why does it not work then?

Curious to know the reason behind this?

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
Timotheous
L1 Bithead
In response to MP18

‎12-17-2019 09:23 AM

We (PA support) tested *.microsoft.com in url category and a policy.  That did not work.

We then added *.microsoft.com to the ssl decryption exception list.  Still no joy.

We then added the specific fe3cr.delivery.mp.microsoft.com url.  And Success.

0 Likes Likes

Go to solution
Remo
L7 Applicator
In response to MP18

‎12-17-2019 11:32 AM

@MP18 this is actually a goos question. From my side I can only say, that I did not test with *.microsoft.com as the requirement was to configure exceptions as accurate as possible.

 

Unfortunetely with these exact URLs there is the downside that - as we found out - they change with (not all) new microsoft versions of windows 10.

0 Likes Likes

Go to solution
MP18
Cyber Elite
Cyber Elite
In response to Remo

‎12-17-2019 08:54 PM

I have seen this behaviour with other websites where fix for us was to exempt  the source IP for decryption.

Seems *.url does not work in ssl exclusion  list.

 

This was not with single urls many urls and end devices were servers in data centre.

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
TahirA
L1 Bithead
In response to MP18

‎09-14-2020 12:07 AM

Hello there,

Would you mind to tell me the fix for the same if there is any changed recently to the same url. As I am being reported continuously for the store problem as you mentioned.

I will be waiting for your reply.

thanks

0 Likes Likes

Go to solution
MP18
Cyber Elite
Cyber Elite
In response to TahirA

‎09-15-2020 06:35 AM

Hi @TahirA 

 

We created the Decryption policy based on Source IP as exclusion list was not working on our PAN OS 8.1.9.

I do not know if PA has fixed this in newer PAN OS version.

 

Regards

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
ericlwright
L0 Member

‎10-23-2020 09:12 AM

I just ran into this same issue and came across this thread.  Instead of just adding all of the FQDNs listed in the accepted solution, I took a packet capture and found connections to both of these FQDNS were having issues :

 

  • fe2cr.update.microsoft.com
  • fe3cr.delivery.mp.microsoft.com

I added the following wildcard FQDNs, which resolved the issue:

  • *.update.microsoft.com
  • *.delivery.mp.microsoft.com

Of course this could change in the future, but hopefully this helps someone.

Go to solution
magates
L2 Linker
In response to ericlwright

‎10-23-2020 10:32 AM

Adding those two wildcards to a no-decrypt policy took care of it for me as well. Thanks @ericlwright!

0 Likes Likes

Go to solution
TahirA
L1 Bithead
In response to ericlwright

‎10-23-2020 11:37 AM

 

HI Ericlwright

 

Can you share your PCAP experience-wm?

 

 

0 Likes Likes

Go to solution
TahirA
L1 Bithead
In response to ericlwright

‎10-26-2020 05:54 AM

 

 

HI Ericlwright

 

I added these two URLs to the SSL Decryption exceptions but still not working. any work around plz?

 


Thank you

0 Likes Likes

Go to solution
J_Wesolowski
L0 Member
In response to TahirA

‎12-15-2020 11:59 AM

I've had similar issues with AWS and facebook CDN sites and exemption doesn't seem to work properly. I am on 9.1.1 right now. Planning on bumping up to 10.0.4 to see whether the new decryption logging can help out troubleshooting this.

 

0 Likes Likes

Go to solution
prusiecki
L0 Member
In response to MP18

‎05-12-2021 07:35 AM

That's because the entry you listed will allow only a single-level sub-domain. A wildcard that would allow subdomains of that URL, in this case, would be *.delivery.mp.microsoft.com

0 Likes Likes
  • 1 accepted solution
  • 17182 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks