SSL Decryption

Reply
danilo.padula
L1 Bithead

@SShnap

 

Not yet SShnap, I cannot see what I am missing. 

Have you created an rule with application web-browsing and service-https that worked?

 

web-browsing with service-httpsweb-browsing with service-https

SShnap
L3 Networker

Hi @danilo.padula

 

Please check the logs if the traffic is being decrypted,

Pay attention, for Facebook site palo alto identify the application as facebook-base that's why it being blocked, for Facebook site you should add facebook-base for allowing it.

See my attachment, regular sites that palo alto identifies applicaiton as web-browsing will be match to that policy rule, if the site uses other application you need to allow that specific application.

 

firewall.jpg

gwesson
L7 Applicator

 

It's still being blocked because you're only allowing 'web-browsing' and 'ssl'. Facebook has a large number of unique app-id definitions depending on what you're doing. From Applipedia:

 

facebook-apps.png

 

Start with a rule allowing all apps for yourself, then use the traffic log to see the list of apps seen by the firewall when you hit that rule. Then, you can create a more complete rule to allow only what you want.

DaniloBarbosa
L1 Bithead

Hi @SShnap

I cannot chekc the logs because it is a VM without license. I am testing the solution before invest some money on it. 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm2mCAC

 

Cheers

 

 

DaniloBarbosa
L1 Bithead

Hi @gwesson

I thought the main facebook page would pass on the web-browsing rule (without login into facebook), then if I log in all the extra "Apps" would need another rule. 

 

I will give a try. 

 

gwesson
L7 Applicator

@SShnap wrote:

> I think they should release an application list update, which add working port 443 for web-browsing application.

>

> I also notice that once you decrypt traffic on 443-SSL it becomes 443-web-browsing, so policy rule that allow web-browsing on application-default will not work, because the application-default is 80.

>

> You need to create another policy to allow web-browsing application on 443 port.

 

I had to hold my tongue (well, fingers) because 9.0 hadn't been released yet, but now that it is available I can share this:

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/app-id-features/app-default-strict....

 

Now, in PAN-OS 9.0, if an application has a known secure port like web-browsing, your app-based allow rule will work with application-default when decrypting. Currently the app list is web-browsing, SMTP, FTP, LDAP, POP3, and IMAP. Palo Alto Networks can update that list as well via a content update. 

DaniloBarbosa
L1 Bithead

@gwesson Do not hold your fingers. :)

Great news! Tks 

SShnap
L3 Networker

@gwesson

 

PANOS 9.0 will be great with this and policy optimization.

 

thank you.

AlexanderAstardzhiev
L4 Transporter

@DaniloBarbosa,

 

The web-browsing application is like last resort application. web-browsing will be used only if the firewall fail to match any other application, while the traffic contain HTTP protocol. See below:

image.png

 

Palo Alto firewall will match facebook application even if the traffic is not decrypted (in my personal limited observations), so I am guessing it is using the SNI from the server certificate. Without decryption the firewall will may fail to match the more specfic facebook apps, but it still will know that it is facebook related.

 

Same goes for google, dropbox, twitter and many more well known services that Palo Alto has create application for it.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!