SSL Decryption

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL Decryption

L1 Bithead

Hi guys,

Nowadays I am playing with a PA-VM (no license) and decryption policy. Basically there are many articles and that explain how Decryption policy works and how to set it up. I have checked and double checked my setting and I cannot make facebook.com for instance work when I enable the Decryption. 

 

Here are the rules:Decryption RulesDecryption RulesSecurity RulesSecurity RulesCan you guys see any mistake on my settings?

 

Cheers

Danilo

18 REPLIES 18

Community Team Member

Hi @DaniloBarbosa,

 

Am I missing something because I don't see you allowing the facebook app in your policy which is what you're trying to achieve in your example ... correct ?  I see you only allowing ssl and web-browsing.

 

Also your policy order seems incorrect as you have a block all rule in front of your allow ssl and web-browsing rule as far as I see it, preventing you from ever hitting your allow rule. 

 

Cheers !

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi 

 

 

Cheers

You will need to remove the "application-default" on that rule, because once the SSL is stripped and the underlying application is seen, it's still on port 443 which is not in the list of default ports on 'web-browsing'.

 

The logic may seem odd, but it follows this flow:

1. Traffic is identified as SSL when the Client Hello is seen.

2. Decryption starts here, and when the TLS handshake is completed the app-id switches from "SSL" to "Web-browsing".

3. Because the app has changed, it is re-evaluated in security policy. Since the app is web-browsing, but it's not on port 80 as defined in the app, rule 4 will be skipped.

4. The application has no matching rules, so it falls to the Interzone-default which denies the rest of that session.

Hi @gwesson@DaniloBarbosa@kiwi

 

I think they should release an application list update, which add working port 443 for web-browsing application.

 

I also notice that once you decrypt traffic on 443-SSL it becomes 443-web-browsing, so policy rule that allow web-browsing on application-default will not work, because the application-default is 80.

 

You need to create another policy to allow web-browsing application on 443 port.

 

@SShnap,

So here's the thing with what you are asking, it breaks the app-id for anyone that isn't decrypting traffic. So say for example the app-id is updated to allow tcp/443 in addition to the standard of tcp/80, for anyone that isn't decrypting traffic seeing web-browsing on tcp/443 would be a concern. 

Because of that, the guide for enabling SSL-Decryption specifically calls out the fact that you'll see web-browsing on tcp/443. As you have to actively enable SSL-Decryption, it makes sense to break things for people who are actively enabling a new feature versus breaking things for everybody else. 

@BPry

Thank you for the reply,

 

So for the users who decrypting the traffic, do we need to create custom application for web-browsing on 443?

 

Because with the current situation I need to create another policy rule to allow web-browsing on 443.

 

I think it will be better to create new application like: Secure web-browsing.

 

@SShnap,

That would be more of a personal preference. If you want to build out a new application signature and create a new app-id for identifying traffic you can certaintly do so; however, with that being said most environments would bypass that and simply allow web-browsing on tcp/443 via a seperate policy. 

Hi @gwesson,

 

I did follow you advice and changes the service from "application-default" to "any" but it did not work. 

Here is the Any on service tab for SSL and web-browsing. 

 

SSL with Any on service tab.SSL with Any on service tab.Then, I enabled the rule 5 (any application) but service TCP/443. Facebook access allowed like picture below. The rule basically says, any application on port 443 (TCP) is allowed. 

 

HTTPS with TCP/443 service only.HTTPS with TCP/443 service only.Another interesting point, the decryption rule is enable and very simple, but the certificate that I am getting is from facebook.com not the self generated by the firewall. 

 

Decryption ruleDecryption ruleSSL certificate for decryption ruleSSL certificate for decryption rule

The decryption rule is not working because I should see the certificate from the firewall not from facebook. But let's not discuss this issue now, let's go back to the SSL/HTTPS issue. 

 

My goal is create a rule that allow HTTPS (application) on its default port (443) and protocol (TCP) only, any other application on tcp/443 will be blocked or if https on any port that is not 443 will be blocked. 

 

I don't want a generic rule allowing TCP on port 443, that would match any application. 

 

Cheers

Danilo

Hi @SShnap

I will try that. Maybe you gave me the answer and I didn't noticed...lol

@SShnap

 

Not yet SShnap, I cannot see what I am missing. 

Have you created an rule with application web-browsing and service-https that worked?

 

web-browsing with service-httpsweb-browsing with service-https

Hi @danilo.padula

 

Please check the logs if the traffic is being decrypted,

Pay attention, for Facebook site palo alto identify the application as facebook-base that's why it being blocked, for Facebook site you should add facebook-base for allowing it.

See my attachment, regular sites that palo alto identifies applicaiton as web-browsing will be match to that policy rule, if the site uses other application you need to allow that specific application.

 

firewall.jpg

 

It's still being blocked because you're only allowing 'web-browsing' and 'ssl'. Facebook has a large number of unique app-id definitions depending on what you're doing. From Applipedia:

 

facebook-apps.png

 

Start with a rule allowing all apps for yourself, then use the traffic log to see the list of apps seen by the firewall when you hit that rule. Then, you can create a more complete rule to allow only what you want.

Hi @SShnap

I cannot chekc the logs because it is a VM without license. I am testing the solution before invest some money on it. 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm2mCAC

 

Cheers

 

 

Hi @gwesson

I thought the main facebook page would pass on the web-browsing rule (without login into facebook), then if I log in all the extra "Apps" would need another rule. 

 

I will give a try. 

 

  • 9213 Views
  • 18 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!