SSL Decryption

DaniloBarbosa · ‎02-04-2019

Hi guys,

Nowadays I am playing with a PA-VM (no license) and decryption policy. Basically there are many articles and that explain how Decryption policy works and how to set it up. I have checked and double checked my setting and I cannot make facebook.com for instance work when I enable the Decryption.

Here are the rules:Decryption RulesSecurity RulesCan you guys see any mistake on my settings?

Cheers

Danilo

kiwi · ‎02-04-2019

Hi @DaniloBarbosa,

Am I missing something because I don't see you allowing the facebook app in your policy which is what you're trying to achieve in your example ... correct ? I see you only allowing ssl and web-browsing.

Also your policy order seems incorrect as you have a block all rule in front of your allow ssl and web-browsing rule as far as I see it, preventing you from ever hitting your allow rule.

Cheers !

-Kim.

DaniloBarbosa · ‎02-04-2019

Hi kiwi,

Basically I was using "User ID" before remove the users from user tab and take a screen shot for this post. So the Rule number 3 was blocking Internet access for a specific user and the rule 4 was allowing access to everyone else inside the windows domain. I did remove the users but I forgot to disable rule 3. Check the new screen shot. ;)

Rule 3 disabled and rule 4 allowing HTTP and HTTPS

Another think that I haven't explained. I am allowing full Internet access, but I want to see the Palo decrypting facebook page. So on the Decryption rule 1 (OUTBOUND) I am olny decrypting "social-networking" that included Facebook.

Decryption Solical-networking

The main goal here is just to see the PALO working as Man-in-the-middle, decrypting traffic between user and facebook page.

Cheers

gwesson · ‎02-04-2019

You will need to remove the "application-default" on that rule, because once the SSL is stripped and the underlying application is seen, it's still on port 443 which is not in the list of default ports on 'web-browsing'.

The logic may seem odd, but it follows this flow:

1. Traffic is identified as SSL when the Client Hello is seen.

2. Decryption starts here, and when the TLS handshake is completed the app-id switches from "SSL" to "Web-browsing".

3. Because the app has changed, it is re-evaluated in security policy. Since the app is web-browsing, but it's not on port 80 as defined in the app, rule 4 will be skipped.

4. The application has no matching rules, so it falls to the Interzone-default which denies the rest of that session.

SShnap · ‎02-08-2019

Hi @gwesson @DaniloBarbosa @kiwi

I think they should release an application list update, which add working port 443 for web-browsing application.

I also notice that once you decrypt traffic on 443-SSL it becomes 443-web-browsing, so policy rule that allow web-browsing on application-default will not work, because the application-default is 80.

You need to create another policy to allow web-browsing application on 443 port.

BPry · ‎02-08-2019

@SShnap,

So here's the thing with what you are asking, it breaks the app-id for anyone that isn't decrypting traffic. So say for example the app-id is updated to allow tcp/443 in addition to the standard of tcp/80, for anyone that isn't decrypting traffic seeing web-browsing on tcp/443 would be a concern.

Because of that, the guide for enabling SSL-Decryption specifically calls out the fact that you'll see web-browsing on tcp/443. As you have to actively enable SSL-Decryption, it makes sense to break things for people who are actively enabling a new feature versus breaking things for everybody else.

SShnap · ‎02-08-2019

@BPry

Thank you for the reply,

So for the users who decrypting the traffic, do we need to create custom application for web-browsing on 443?

Because with the current situation I need to create another policy rule to allow web-browsing on 443.

I think it will be better to create new application like: Secure web-browsing.

BPry · ‎02-08-2019

@SShnap,

That would be more of a personal preference. If you want to build out a new application signature and create a new app-id for identifying traffic you can certaintly do so; however, with that being said most environments would bypass that and simply allow web-browsing on tcp/443 via a seperate policy.

danilo.padula · ‎02-11-2019

Hi @gwesson,

I did follow you advice and changes the service from "application-default" to "any" but it did not work.

Here is the Any on service tab for SSL and web-browsing.

SSL with Any on service tab.Then, I enabled the rule 5 (any application) but service TCP/443. Facebook access allowed like picture below. The rule basically says, any application on port 443 (TCP) is allowed.

HTTPS with TCP/443 service only.Another interesting point, the decryption rule is enable and very simple, but the certificate that I am getting is from facebook.com not the self generated by the firewall.

Decryption ruleSSL certificate for decryption rule

The decryption rule is not working because I should see the certificate from the firewall not from facebook. But let's not discuss this issue now, let's go back to the SSL/HTTPS issue.

My goal is create a rule that allow HTTPS (application) on its default port (443) and protocol (TCP) only, any other application on tcp/443 will be blocked or if https on any port that is not 443 will be blocked.

I don't want a generic rule allowing TCP on port 443, that would match any application.

Cheers

Danilo

danilo.padula · ‎02-11-2019

Hi @SShnap

I will try that. Maybe you gave me the answer and I didn't noticed...lol

Network Security

Cloud Security

Security Operations

SSL Decryption

SSL Decryption

Show your appreciation!