So I have tested SSL decryption today, and I made it work. But for some reason some of the webpages that are being decrypted are extremely slow. Facebook and even support.paloaltonetworks.com are two of them.
I exported a CA certificate from our AD and imported it into the PA as described in a document I found on the knowledgebase.
Look at the attached file for my configuration.
One more thing that is not working is the "block" page when I try to download the eicar test virus file via https.
I can see in the monitor/threat that the file is being blocked but I do not get the block page. Works if I open the eicar virus file via http.
Any suggestions on what the problem can be?
This is an PA-500 with sw version 4.0.3
The Common Name says www.facebook.com so it shouldnt be that.
However Facebook seems to use a new cert issued 2012-06-21 that perhaps for some reason isnt recognized by PA as a visit to Facebook?
Is the blockpage not visible even if you do SSL termiantion (ssl-proxy) in your PA towards your clients (because then the PA can look inside the encrypted traffic and see the actual GET/HEAD request and the URI used there)?
Sorry, this is not part of the blocking of the https web page. The blocking is still performed by the URL Filtering engine. It does allow the Palo Alto firewall to display the block page rather than a default browser error page. In the URL filtering log it will display the ip:port rather than https://www.facebook.com.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!