SSL Decryption

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL Decryption

L1 Bithead

Hi guys,

Nowadays I am playing with a PA-VM (no license) and decryption policy. Basically there are many articles and that explain how Decryption policy works and how to set it up. I have checked and double checked my setting and I cannot make facebook.com for instance work when I enable the Decryption. 

 

Here are the rules:Decryption RulesDecryption RulesSecurity RulesSecurity RulesCan you guys see any mistake on my settings?

 

Cheers

Danilo

18 REPLIES 18

@SShnap wrote:

> I think they should release an application list update, which add working port 443 for web-browsing application.

>

> I also notice that once you decrypt traffic on 443-SSL it becomes 443-web-browsing, so policy rule that allow web-browsing on application-default will not work, because the application-default is 80.

>

> You need to create another policy to allow web-browsing application on 443 port.

 

I had to hold my tongue (well, fingers) because 9.0 hadn't been released yet, but now that it is available I can share this:

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/app-id-features/app-default-strict....

 

Now, in PAN-OS 9.0, if an application has a known secure port like web-browsing, your app-based allow rule will work with application-default when decrypting. Currently the app list is web-browsing, SMTP, FTP, LDAP, POP3, and IMAP. Palo Alto Networks can update that list as well via a content update. 

@gwesson Do not hold your fingers. 🙂

Great news! Tks 

@gwesson

 

PANOS 9.0 will be great with this and policy optimization.

 

thank you.

@DaniloBarbosa,

 

The web-browsing application is like last resort application. web-browsing will be used only if the firewall fail to match any other application, while the traffic contain HTTP protocol. See below:

image.png

 

Palo Alto firewall will match facebook application even if the traffic is not decrypted (in my personal limited observations), so I am guessing it is using the SNI from the server certificate. Without decryption the firewall will may fail to match the more specfic facebook apps, but it still will know that it is facebook related.

 

Same goes for google, dropbox, twitter and many more well known services that Palo Alto has create application for it.

  • 9216 Views
  • 18 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!