Nowadays I am playing with a PA-VM (no license) and decryption policy. Basically there are many articles and that explain how Decryption policy works and how to set it up. I have checked and double checked my setting and I cannot make facebook.com for instance work when I enable the Decryption.
Here are the rules:Can you guys see any mistake on my settings?
Am I missing something because I don't see you allowing the facebook app in your policy which is what you're trying to achieve in your example ... correct ? I see you only allowing ssl and web-browsing.
Also your policy order seems incorrect as you have a block all rule in front of your allow ssl and web-browsing rule as far as I see it, preventing you from ever hitting your allow rule.
Basically I was using "User ID" before remove the users from user tab and take a screen shot for this post. So the Rule number 3 was blocking Internet access for a specific user and the rule 4 was allowing access to everyone else inside the windows domain. I did remove the users but I forgot to disable rule 3. Check the new screen shot. ;)
Another think that I haven't explained. I am allowing full Internet access, but I want to see the Palo decrypting facebook page. So on the Decryption rule 1 (OUTBOUND) I am olny decrypting "social-networking" that included Facebook.
The main goal here is just to see the PALO working as Man-in-the-middle, decrypting traffic between user and facebook page.
You will need to remove the "application-default" on that rule, because once the SSL is stripped and the underlying application is seen, it's still on port 443 which is not in the list of default ports on 'web-browsing'.
The logic may seem odd, but it follows this flow:
1. Traffic is identified as SSL when the Client Hello is seen.
2. Decryption starts here, and when the TLS handshake is completed the app-id switches from "SSL" to "Web-browsing".
3. Because the app has changed, it is re-evaluated in security policy. Since the app is web-browsing, but it's not on port 80 as defined in the app, rule 4 will be skipped.
4. The application has no matching rules, so it falls to the Interzone-default which denies the rest of that session.
I think they should release an application list update, which add working port 443 for web-browsing application.
I also notice that once you decrypt traffic on 443-SSL it becomes 443-web-browsing, so policy rule that allow web-browsing on application-default will not work, because the application-default is 80.
You need to create another policy to allow web-browsing application on 443 port.
So here's the thing with what you are asking, it breaks the app-id for anyone that isn't decrypting traffic. So say for example the app-id is updated to allow tcp/443 in addition to the standard of tcp/80, for anyone that isn't decrypting traffic seeing web-browsing on tcp/443 would be a concern.
Because of that, the guide for enabling SSL-Decryption specifically calls out the fact that you'll see web-browsing on tcp/443. As you have to actively enable SSL-Decryption, it makes sense to break things for people who are actively enabling a new feature versus breaking things for everybody else.
Thank you for the reply,
So for the users who decrypting the traffic, do we need to create custom application for web-browsing on 443?
Because with the current situation I need to create another policy rule to allow web-browsing on 443.
I think it will be better to create new application like: Secure web-browsing.
That would be more of a personal preference. If you want to build out a new application signature and create a new app-id for identifying traffic you can certaintly do so; however, with that being said most environments would bypass that and simply allow web-browsing on tcp/443 via a seperate policy.
I did follow you advice and changes the service from "application-default" to "any" but it did not work.
Here is the Any on service tab for SSL and web-browsing.
Then, I enabled the rule 5 (any application) but service TCP/443. Facebook access allowed like picture below. The rule basically says, any application on port 443 (TCP) is allowed.
Another interesting point, the decryption rule is enable and very simple, but the certificate that I am getting is from facebook.com not the self generated by the firewall.
The decryption rule is not working because I should see the certificate from the firewall not from facebook. But let's not discuss this issue now, let's go back to the SSL/HTTPS issue.
My goal is create a rule that allow HTTPS (application) on its default port (443) and protocol (TCP) only, any other application on tcp/443 will be blocked or if https on any port that is not 443 will be blocked.
I don't want a generic rule allowing TCP on port 443, that would match any application.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!