SSL Decryption

L1 Bithead



Not yet SShnap, I cannot see what I am missing. 

Have you created an rule with application web-browsing and service-https that worked?


web-browsing with service-httpsweb-browsing with service-https

L3 Networker

Hi @danilo.padula


Please check the logs if the traffic is being decrypted,

Pay attention, for Facebook site palo alto identify the application as facebook-base that's why it being blocked, for Facebook site you should add facebook-base for allowing it.

See my attachment, regular sites that palo alto identifies applicaiton as web-browsing will be match to that policy rule, if the site uses other application you need to allow that specific application.



L7 Applicator


It's still being blocked because you're only allowing 'web-browsing' and 'ssl'. Facebook has a large number of unique app-id definitions depending on what you're doing. From Applipedia:




Start with a rule allowing all apps for yourself, then use the traffic log to see the list of apps seen by the firewall when you hit that rule. Then, you can create a more complete rule to allow only what you want.

L1 Bithead

Hi @SShnap

I cannot chekc the logs because it is a VM without license. I am testing the solution before invest some money on it.





L1 Bithead

Hi @gwesson

I thought the main facebook page would pass on the web-browsing rule (without login into facebook), then if I log in all the extra "Apps" would need another rule. 


I will give a try. 


L7 Applicator

@SShnap wrote:

> I think they should release an application list update, which add working port 443 for web-browsing application.


> I also notice that once you decrypt traffic on 443-SSL it becomes 443-web-browsing, so policy rule that allow web-browsing on application-default will not work, because the application-default is 80.


> You need to create another policy to allow web-browsing application on 443 port.


I had to hold my tongue (well, fingers) because 9.0 hadn't been released yet, but now that it is available I can share this:


Now, in PAN-OS 9.0, if an application has a known secure port like web-browsing, your app-based allow rule will work with application-default when decrypting. Currently the app list is web-browsing, SMTP, FTP, LDAP, POP3, and IMAP. Palo Alto Networks can update that list as well via a content update. 

L1 Bithead

@gwesson Do not hold your fingers. :)

Great news! Tks 

L3 Networker



PANOS 9.0 will be great with this and policy optimization.


thank you.

L4 Transporter



The web-browsing application is like last resort application. web-browsing will be used only if the firewall fail to match any other application, while the traffic contain HTTP protocol. See below:



Palo Alto firewall will match facebook application even if the traffic is not decrypted (in my personal limited observations), so I am guessing it is using the SNI from the server certificate. Without decryption the firewall will may fail to match the more specfic facebook apps, but it still will know that it is facebook related.


Same goes for google, dropbox, twitter and many more well known services that Palo Alto has create application for it.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!