SSL-decryption slow
cancel
Showing results for 
Search instead for 
Did you mean: 

SSL-decryption slow

L4 Transporter

Hello,

So I have tested SSL decryption today, and I made it work. But for some reason some of the webpages that are being decrypted are extremely slow. Facebook and even support.paloaltonetworks.com are two of them.

I exported a CA certificate from our AD and imported it into the PA as described in a document I found on the knowledgebase.

Look at the attached file for my configuration.

One more thing that is not working is the "block" page when I try to download the eicar test virus file via https.

I can see in the monitor/threat that the file is being blocked but I do not get the block page. Works if I open the eicar virus file via http.

Any suggestions on what the problem can be?

This is an PA-500 with sw version 4.0.3

Jo Christian

/Jo Christian
14 REPLIES 14

The Common Name says www.facebook.com so it shouldnt be that.

However Facebook seems to use a new cert issued 2012-06-21 that perhaps for some reason isnt recognized by PA as a visit to Facebook?

Is the blockpage not visible even if you do SSL termiantion (ssl-proxy) in your PA towards your clients (because then the PA can look inside the encrypted traffic and see the actual GET/HEAD request and the URI used there)?

Hi,

I have the same issue with other sites like www.flickr.com. Accessing flickr in http, the block page is displaying and trying to access the same page in https, no block page is displaying. As SSL Termination, I’m using ssl-forward-proxy.

L4 Transporter

I have experienced the same issue with block pages and https. From the cli run the following commands:

config

set deviceconfig setting ssl-decrypt url-proxy yes


This blocks ssl pages, but shows ip:port and category as any in the traffic log.


Ben

Benjamin,

Blocks ssl pages and display the block page?

@BPERE

Sorry, this is not part of the blocking of the https web page. The blocking is still performed by the URL Filtering engine. It does allow the Palo Alto firewall to display the block page rather than a default browser error page. In the URL filtering log it will display the ip:port rather than https://www.facebook.com.

Ben

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!