07-21-2011 04:38 AM
So I have tested SSL decryption today, and I made it work. But for some reason some of the webpages that are being decrypted are extremely slow. Facebook and even support.paloaltonetworks.com are two of them.
I exported a CA certificate from our AD and imported it into the PA as described in a document I found on the knowledgebase.
Look at the attached file for my configuration.
One more thing that is not working is the "block" page when I try to download the eicar test virus file via https.
I can see in the monitor/threat that the file is being blocked but I do not get the block page. Works if I open the eicar virus file via http.
Any suggestions on what the problem can be?
This is an PA-500 with sw version 4.0.3
07-22-2011 01:22 AM
I have a similar install than you, but I don't put URL categories filters in decrypt rules (I left it to 'Any') and it works like a charm.
Also are you using some user identification? May be with a captive portal ?
07-22-2011 02:01 AM
I also have a similar setup to yourself, but I've found that SSL decryption can be very slow on some website including the PAN support portal. I've had to put a rule in to not decrypt the effected websites and the performace then returns.
Can anyone from PAN explain why these performance issues are happening and what else (other than not to decrypt them) can be done to fix it.
I've used other web scanning products with SSL decryption and I've not experienced these sort of performance issues before.
07-22-2011 02:15 AM
Yes I have tried setting the categories filter to "Any", but it's still a problem.
How does your setup work against https://facebook.com? Take minutes for my setup to open it up when ssl decrypt is enabled.
Yes we use user identification (but not captive portal).
07-22-2011 02:20 AM
Only website that shows slowness for my users with decryption enabled is Google Mail and only with Chrome (IE & Firefox are ok).
I have a support ticket opened for that.
07-22-2011 04:53 AM
So I tested with IE and it things seems to be abit smoother. I always use Chrome.
But what can be the reason for this?
Btw does the block page work for you when trying to open https://secure.eicar.org/eicar_com.zip ?
If antivirus profile is enabled. I see in the log that the file is blocked but I don't get the webpage.
Chrome just hang trying to load the "page/file".
Work as it should if I try to download the file when not using ssl/https.
07-22-2011 06:27 AM
Ok I confirm Block page is not appearing while it does on non SSL one.
08-03-2011 02:23 AM
Did you retry since 4.0.4 was released ? It has some SSL fixes in release notes ...
07-06-2012 07:35 AM
Any news about this issue?
Block-Page didn't display if trying to access https webpages .
http://www.facebook.com --> Block page is displaying
https://www.facebook.com --> No block page is displaying
Im using version 4.1.4
07-06-2012 09:17 AM
I have the no block page on ssl issue as well
4.0.9 - 4020
07-07-2012 07:18 AM
The Common Name says www.facebook.com so it shouldnt be that.
However Facebook seems to use a new cert issued 2012-06-21 that perhaps for some reason isnt recognized by PA as a visit to Facebook?
Is the blockpage not visible even if you do SSL termiantion (ssl-proxy) in your PA towards your clients (because then the PA can look inside the encrypted traffic and see the actual GET/HEAD request and the URI used there)?
07-09-2012 01:19 AM
I have the same issue with other sites like www.flickr.com. Accessing flickr in http, the block page is displaying and trying to access the same page in https, no block page is displaying. As SSL Termination, I’m using ssl-forward-proxy.
07-09-2012 05:20 AM
I have experienced the same issue with block pages and https. From the cli run the following commands:
set deviceconfig setting ssl-decrypt url-proxy yes
This blocks ssl pages, but shows ip:port and category as any in the traffic log.
07-10-2012 01:53 AM
Blocks ssl pages and display the block page?
07-10-2012 05:58 AM
Sorry, this is not part of the blocking of the https web page. The blocking is still performed by the URL Filtering engine. It does allow the Palo Alto firewall to display the block page rather than a default browser error page. In the URL filtering log it will display the ip:port rather than https://www.facebook.com.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!